diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 30c77279a77f..a9e49ed6a681 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -506,6 +506,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add Huawei Cloud provider to add_cloud_metadata. {pull}27607[27607] - Add default seccomp policy for linux arm64. {pull}27955[27955] - Add cluster level add_kubernetes_metadata support for centralized enrichment {pull}24621[24621] +- Update ECS to 1.12.0. {pull}27770[27770] +- Fields mapped as `match_only_text` will automatically fallback to a `text` mapping when using Elasticsearch versions that do not support `match_only_text`. {pull}27770[27770] *Auditbeat* diff --git a/NOTICE.txt b/NOTICE.txt index db0d69fc40c2..d0209a2cc615 100644 --- a/NOTICE.txt +++ b/NOTICE.txt @@ -6042,11 +6042,11 @@ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND -------------------------------------------------------------------------------- Dependency : github.com/elastic/ecs -Version: v1.11.0 +Version: v1.12.0 Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/elastic/ecs@v1.11.0/LICENSE.txt: +Contents of probable licence file $GOMODCACHE/github.com/elastic/ecs@v1.12.0/LICENSE.txt: Apache License diff --git a/auditbeat/cmd/root.go b/auditbeat/cmd/root.go index eee8162914b0..2d3a802ce231 100644 --- a/auditbeat/cmd/root.go +++ b/auditbeat/cmd/root.go @@ -35,7 +35,7 @@ const ( Name = "auditbeat" // ecsVersion specifies the version of ECS that Auditbeat is implementing. - ecsVersion = "1.11.0" + ecsVersion = "1.12.0" ) // RootCmd for running auditbeat. diff --git a/auditbeat/docs/fields.asciidoc b/auditbeat/docs/fields.asciidoc index 2f1ec7e5320e..94a6dfa0fc23 100644 --- a/auditbeat/docs/fields.asciidoc +++ b/auditbeat/docs/fields.asciidoc @@ -2876,7 +2876,7 @@ For log events the message field contains the log message, optimized for viewing For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. -type: text +type: match_only_text example: Hello World @@ -3003,7 +3003,7 @@ example: Google LLC *`as.organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -3050,7 +3050,7 @@ example: Google LLC *`client.as.organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -3335,7 +3335,7 @@ example: Albert Einstein *`client.user.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -3384,6 +3384,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`client.user.name`*:: @@ -3393,14 +3395,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`client.user.name.text`*:: + -- -type: text +type: match_only_text -- @@ -3551,6 +3553,18 @@ example: lambda These fields contain information about binary code signatures. +*`code_signature.digest_algorithm`*:: ++ +-- +The hashing algorithm used to sign the process. +This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + +type: keyword + +example: sha256 + +-- + *`code_signature.exists`*:: + -- @@ -3609,6 +3623,17 @@ example: EQHXZ8M8AV -- +*`code_signature.timestamp`*:: ++ +-- +Date and time when the code signature was generated and signed. + +type: date + +example: 2021-01-01T12:10:30Z + +-- + *`code_signature.trusted`*:: + -- @@ -3788,7 +3813,7 @@ example: Google LLC *`destination.as.organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -4073,7 +4098,7 @@ example: Albert Einstein *`destination.user.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -4122,6 +4147,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`destination.user.name`*:: @@ -4131,14 +4158,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`destination.user.name.text`*:: + -- -type: text +type: match_only_text -- @@ -4164,6 +4191,18 @@ Many operating systems refer to "shared code libraries" with different names, bu * Dynamic library (`.dylib`) commonly used on macOS +*`dll.code_signature.digest_algorithm`*:: ++ +-- +The hashing algorithm used to sign the process. +This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + +type: keyword + +example: sha256 + +-- + *`dll.code_signature.exists`*:: + -- @@ -4222,6 +4261,17 @@ example: EQHXZ8M8AV -- +*`dll.code_signature.timestamp`*:: ++ +-- +Date and time when the code signature was generated and signed. + +type: date + +example: 2021-01-01T12:10:30Z + +-- + *`dll.code_signature.trusted`*:: + -- @@ -4945,7 +4995,7 @@ type: keyword -- Error message. -type: text +type: match_only_text -- @@ -4954,16 +5004,14 @@ type: text -- The stack trace of this error in plain text. -type: keyword - -Field is not indexed. +type: wildcard -- *`error.stack_trace.text`*:: + -- -type: text +type: match_only_text -- @@ -5330,6 +5378,18 @@ example: ["readonly", "system"] -- +*`file.code_signature.digest_algorithm`*:: ++ +-- +The hashing algorithm used to sign the process. +This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + +type: keyword + +example: sha256 + +-- + *`file.code_signature.exists`*:: + -- @@ -5388,6 +5448,17 @@ example: EQHXZ8M8AV -- +*`file.code_signature.timestamp`*:: ++ +-- +Date and time when the code signature was generated and signed. + +type: date + +example: 2021-01-01T12:10:30Z + +-- + *`file.code_signature.trusted`*:: + -- @@ -5759,6 +5830,19 @@ example: png -- +*`file.fork_name`*:: ++ +-- +A fork is additional data associated with a filesystem object. +On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist. +On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name. + +type: keyword + +example: Zone.Identifer + +-- + *`file.gid`*:: + -- @@ -5902,7 +5986,7 @@ example: /home/alice/example.png *`file.path.text`*:: + -- -type: text +type: match_only_text -- @@ -6008,7 +6092,7 @@ type: keyword *`file.target_path.text`*:: + -- -type: text +type: match_only_text -- @@ -6812,7 +6896,7 @@ example: Mac OS Mojave *`host.os.full.text`*:: + -- -type: text +type: match_only_text -- @@ -6841,7 +6925,7 @@ example: Mac OS X *`host.os.name.text`*:: + -- -type: text +type: match_only_text -- @@ -6934,7 +7018,7 @@ example: Albert Einstein *`host.user.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -6983,6 +7067,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`host.user.name`*:: @@ -6992,14 +7078,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`host.user.name.text`*:: + -- -type: text +type: match_only_text -- @@ -7038,7 +7124,7 @@ format: bytes -- The full HTTP request body. -type: keyword +type: wildcard example: Hello world @@ -7047,7 +7133,7 @@ example: Hello world *`http.request.body.content.text`*:: + -- -type: text +type: match_only_text -- @@ -7131,7 +7217,7 @@ format: bytes -- The full HTTP response body. -type: keyword +type: wildcard example: Hello world @@ -7140,7 +7226,7 @@ example: Hello world *`http.response.body.content.text`*:: + -- -type: text +type: match_only_text -- @@ -7949,7 +8035,7 @@ example: Mac OS Mojave *`observer.os.full.text`*:: + -- -type: text +type: match_only_text -- @@ -7978,7 +8064,7 @@ example: Mac OS X *`observer.os.name.text`*:: + -- -type: text +type: match_only_text -- @@ -8196,7 +8282,7 @@ type: keyword *`organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -8231,7 +8317,7 @@ example: Mac OS Mojave *`os.full.text`*:: + -- -type: text +type: match_only_text -- @@ -8260,7 +8346,7 @@ example: Mac OS X *`os.name.text`*:: + -- -type: text +type: match_only_text -- @@ -8566,6 +8652,18 @@ example: 4 -- +*`process.code_signature.digest_algorithm`*:: ++ +-- +The hashing algorithm used to sign the process. +This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + +type: keyword + +example: sha256 + +-- + *`process.code_signature.exists`*:: + -- @@ -8624,6 +8722,17 @@ example: EQHXZ8M8AV -- +*`process.code_signature.timestamp`*:: ++ +-- +Date and time when the code signature was generated and signed. + +type: date + +example: 2021-01-01T12:10:30Z + +-- + *`process.code_signature.trusted`*:: + -- @@ -8654,7 +8763,7 @@ example: true Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. -type: keyword +type: wildcard example: /usr/bin/ssh -l user 10.0.0.16 @@ -8663,7 +8772,7 @@ example: /usr/bin/ssh -l user 10.0.0.16 *`process.command_line.text`*:: + -- -type: text +type: match_only_text -- @@ -8948,6 +9057,17 @@ type: keyword -- +*`process.end`*:: ++ +-- +The time the process ended. + +type: date + +example: 2016-05-23T08:05:34.853Z + +-- + *`process.entity_id`*:: + -- @@ -8975,7 +9095,7 @@ example: /usr/bin/ssh *`process.executable.text`*:: + -- -type: text +type: match_only_text -- @@ -9051,7 +9171,7 @@ example: ssh *`process.name.text`*:: + -- -type: text +type: match_only_text -- @@ -9079,6 +9199,18 @@ example: 4 -- +*`process.parent.code_signature.digest_algorithm`*:: ++ +-- +The hashing algorithm used to sign the process. +This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + +type: keyword + +example: sha256 + +-- + *`process.parent.code_signature.exists`*:: + -- @@ -9137,6 +9269,17 @@ example: EQHXZ8M8AV -- +*`process.parent.code_signature.timestamp`*:: ++ +-- +Date and time when the code signature was generated and signed. + +type: date + +example: 2021-01-01T12:10:30Z + +-- + *`process.parent.code_signature.trusted`*:: + -- @@ -9167,7 +9310,7 @@ example: true Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. -type: keyword +type: wildcard example: /usr/bin/ssh -l user 10.0.0.16 @@ -9176,7 +9319,7 @@ example: /usr/bin/ssh -l user 10.0.0.16 *`process.parent.command_line.text`*:: + -- -type: text +type: match_only_text -- @@ -9461,6 +9604,17 @@ type: keyword -- +*`process.parent.end`*:: ++ +-- +The time the process ended. + +type: date + +example: 2016-05-23T08:05:34.853Z + +-- + *`process.parent.entity_id`*:: + -- @@ -9488,7 +9642,7 @@ example: /usr/bin/ssh *`process.parent.executable.text`*:: + -- -type: text +type: match_only_text -- @@ -9564,7 +9718,7 @@ example: ssh *`process.parent.name.text`*:: + -- -type: text +type: match_only_text -- @@ -9731,7 +9885,7 @@ type: keyword *`process.parent.title.text`*:: + -- -type: text +type: match_only_text -- @@ -9760,7 +9914,7 @@ example: /home/alice *`process.parent.working_directory.text`*:: + -- -type: text +type: match_only_text -- @@ -9927,7 +10081,7 @@ type: keyword *`process.title.text`*:: + -- -type: text +type: match_only_text -- @@ -9956,7 +10110,7 @@ example: /home/alice *`process.working_directory.text`*:: + -- -type: text +type: match_only_text -- @@ -9984,7 +10138,7 @@ example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). -type: keyword +type: wildcard example: ["C:\rta\red_ttp\bin\myapp.exe"] @@ -10250,7 +10404,7 @@ example: Google LLC *`server.as.organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -10535,7 +10689,7 @@ example: Albert Einstein *`server.user.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -10584,6 +10738,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`server.user.name`*:: @@ -10593,14 +10749,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`server.user.name.text`*:: + -- -type: text +type: match_only_text -- @@ -10622,6 +10778,30 @@ The service fields describe the service for or from which the data was collected These fields help you find and correlate logs for a specific service and version. +*`service.address`*:: ++ +-- +Address where data about this service was collected from. +This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). + +type: keyword + +example: 172.26.0.2:5432 + +-- + +*`service.environment`*:: ++ +-- +Identifies the environment where the service is running. +If the same service runs in different environments (production, staging, QA, development, etc.), the environment can identify other instances of the same service. Can also group services and applications from the same environment. + +type: keyword + +example: production + +-- + *`service.ephemeral_id`*:: + -- @@ -10749,7 +10929,7 @@ example: Google LLC *`source.as.organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -11034,7 +11214,7 @@ example: Albert Einstein *`source.user.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -11083,6 +11263,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`source.user.name`*:: @@ -11092,14 +11274,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`source.user.name.text`*:: + -- -type: text +type: match_only_text -- @@ -11164,7 +11346,7 @@ example: Google LLC *`threat.enrichments.indicator.as.organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -11228,6 +11410,18 @@ example: ["readonly", "system"] -- +*`threat.enrichments.indicator.file.code_signature.digest_algorithm`*:: ++ +-- +The hashing algorithm used to sign the process. +This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + +type: keyword + +example: sha256 + +-- + *`threat.enrichments.indicator.file.code_signature.exists`*:: + -- @@ -11286,6 +11480,17 @@ example: EQHXZ8M8AV -- +*`threat.enrichments.indicator.file.code_signature.timestamp`*:: ++ +-- +Date and time when the code signature was generated and signed. + +type: date + +example: 2021-01-01T12:10:30Z + +-- + *`threat.enrichments.indicator.file.code_signature.trusted`*:: + -- @@ -11657,6 +11862,19 @@ example: png -- +*`threat.enrichments.indicator.file.fork_name`*:: ++ +-- +A fork is additional data associated with a filesystem object. +On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist. +On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name. + +type: keyword + +example: Zone.Identifer + +-- + *`threat.enrichments.indicator.file.gid`*:: + -- @@ -11679,6 +11897,51 @@ example: alice -- +*`threat.enrichments.indicator.file.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`threat.enrichments.indicator.file.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`threat.enrichments.indicator.file.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`threat.enrichments.indicator.file.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + +*`threat.enrichments.indicator.file.hash.ssdeep`*:: ++ +-- +SSDEEP hash. + +type: keyword + +-- + *`threat.enrichments.indicator.file.inode`*:: + -- @@ -11755,26 +12018,104 @@ example: /home/alice/example.png *`threat.enrichments.indicator.file.path.text`*:: + -- -type: text +type: match_only_text -- -*`threat.enrichments.indicator.file.size`*:: +*`threat.enrichments.indicator.file.pe.architecture`*:: + -- -File size in bytes. -Only relevant when `file.type` is "file". +CPU architecture target for the file. -type: long +type: keyword -example: 16384 +example: x64 -- -*`threat.enrichments.indicator.file.target_path`*:: +*`threat.enrichments.indicator.file.pe.company`*:: + -- -Target path for symlinks. +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`threat.enrichments.indicator.file.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`threat.enrichments.indicator.file.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`threat.enrichments.indicator.file.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + +*`threat.enrichments.indicator.file.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`threat.enrichments.indicator.file.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + +*`threat.enrichments.indicator.file.size`*:: ++ +-- +File size in bytes. +Only relevant when `file.type` is "file". + +type: long + +example: 16384 + +-- + +*`threat.enrichments.indicator.file.target_path`*:: ++ +-- +Target path for symlinks. type: keyword @@ -11783,7 +12124,7 @@ type: keyword *`threat.enrichments.indicator.file.target_path.text`*:: + -- -type: text +type: match_only_text -- @@ -11944,51 +12285,6 @@ example: America/Argentina/Buenos_Aires -- -*`threat.enrichments.indicator.hash.md5`*:: -+ --- -MD5 hash. - -type: keyword - --- - -*`threat.enrichments.indicator.hash.sha1`*:: -+ --- -SHA1 hash. - -type: keyword - --- - -*`threat.enrichments.indicator.hash.sha256`*:: -+ --- -SHA256 hash. - -type: keyword - --- - -*`threat.enrichments.indicator.hash.sha512`*:: -+ --- -SHA512 hash. - -type: keyword - --- - -*`threat.enrichments.indicator.hash.ssdeep`*:: -+ --- -SSDEEP hash. - -type: keyword - --- - *`threat.enrichments.indicator.ip`*:: + -- @@ -12037,84 +12333,6 @@ example: 2020-11-05T17:25:47.000Z -- -*`threat.enrichments.indicator.pe.architecture`*:: -+ --- -CPU architecture target for the file. - -type: keyword - -example: x64 - --- - -*`threat.enrichments.indicator.pe.company`*:: -+ --- -Internal company name of the file, provided at compile-time. - -type: keyword - -example: Microsoft Corporation - --- - -*`threat.enrichments.indicator.pe.description`*:: -+ --- -Internal description of the file, provided at compile-time. - -type: keyword - -example: Paint - --- - -*`threat.enrichments.indicator.pe.file_version`*:: -+ --- -Internal version of the file, provided at compile-time. - -type: keyword - -example: 6.3.9600.17415 - --- - -*`threat.enrichments.indicator.pe.imphash`*:: -+ --- -A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. -Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. - -type: keyword - -example: 0c6803c4e922103c4dca5963aad36ddf - --- - -*`threat.enrichments.indicator.pe.original_file_name`*:: -+ --- -Internal name of the file, provided at compile-time. - -type: keyword - -example: MSPAINT.EXE - --- - -*`threat.enrichments.indicator.pe.product`*:: -+ --- -Internal product name of the file, provided at compile-time. - -type: keyword - -example: Microsoft® Windows® Operating System - --- - *`threat.enrichments.indicator.port`*:: + -- @@ -12166,7 +12384,7 @@ example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). -type: keyword +type: wildcard example: ["C:\rta\red_ttp\bin\myapp.exe"] @@ -12319,7 +12537,7 @@ type: keyword -- If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. -type: keyword +type: wildcard example: https://www.elastic.co:443/search?q=elasticsearch#top @@ -12328,7 +12546,7 @@ example: https://www.elastic.co:443/search?q=elasticsearch#top *`threat.enrichments.indicator.url.full.text`*:: + -- -type: text +type: match_only_text -- @@ -12339,7 +12557,7 @@ Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. -type: keyword +type: wildcard example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch @@ -12348,7 +12566,7 @@ example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elas *`threat.enrichments.indicator.url.original.text`*:: + -- -type: text +type: match_only_text -- @@ -12366,7 +12584,7 @@ type: keyword -- Path of the request, such as "/search". -type: keyword +type: wildcard -- @@ -12784,7 +13002,8 @@ example: MITRE ATT&CK *`threat.group.alias`*:: + -- -The alias(es) of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group alias(es). +The alias(es) of the group for a set of related intrusion activity that are tracked by a common name in the security community. +While not required, you can use a MITRE ATT&CK® group alias(es). type: keyword @@ -12795,7 +13014,8 @@ example: [ "Magecart Group 6" ] *`threat.group.id`*:: + -- -The id of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group id. +The id of the group for a set of related intrusion activity that are tracked by a common name in the security community. +While not required, you can use a MITRE ATT&CK® group id. type: keyword @@ -12806,7 +13026,8 @@ example: G0037 *`threat.group.name`*:: + -- -The name of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group name. +The name of the group for a set of related intrusion activity that are tracked by a common name in the security community. +While not required, you can use a MITRE ATT&CK® group name. type: keyword @@ -12817,7 +13038,8 @@ example: FIN6 *`threat.group.reference`*:: + -- -The reference URL of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group reference URL. +The reference URL of the group for a set of related intrusion activity that are tracked by a common name in the security community. +While not required, you can use a MITRE ATT&CK® group reference URL. type: keyword @@ -12850,7 +13072,7 @@ example: Google LLC *`threat.indicator.as.organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -12915,6 +13137,18 @@ example: ["readonly", "system"] -- +*`threat.indicator.file.code_signature.digest_algorithm`*:: ++ +-- +The hashing algorithm used to sign the process. +This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + +type: keyword + +example: sha256 + +-- + *`threat.indicator.file.code_signature.exists`*:: + -- @@ -12973,6 +13207,17 @@ example: EQHXZ8M8AV -- +*`threat.indicator.file.code_signature.timestamp`*:: ++ +-- +Date and time when the code signature was generated and signed. + +type: date + +example: 2021-01-01T12:10:30Z + +-- + *`threat.indicator.file.code_signature.trusted`*:: + -- @@ -13344,6 +13589,19 @@ example: png -- +*`threat.indicator.file.fork_name`*:: ++ +-- +A fork is additional data associated with a filesystem object. +On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist. +On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name. + +type: keyword + +example: Zone.Identifer + +-- + *`threat.indicator.file.gid`*:: + -- @@ -13366,6 +13624,51 @@ example: alice -- +*`threat.indicator.file.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`threat.indicator.file.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`threat.indicator.file.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`threat.indicator.file.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + +*`threat.indicator.file.hash.ssdeep`*:: ++ +-- +SSDEEP hash. + +type: keyword + +-- + *`threat.indicator.file.inode`*:: + -- @@ -13442,7 +13745,85 @@ example: /home/alice/example.png *`threat.indicator.file.path.text`*:: + -- -type: text +type: match_only_text + +-- + +*`threat.indicator.file.pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + +*`threat.indicator.file.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`threat.indicator.file.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`threat.indicator.file.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`threat.indicator.file.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + +*`threat.indicator.file.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`threat.indicator.file.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System -- @@ -13470,7 +13851,7 @@ type: keyword *`threat.indicator.file.target_path.text`*:: + -- -type: text +type: match_only_text -- @@ -13631,51 +14012,6 @@ example: America/Argentina/Buenos_Aires -- -*`threat.indicator.hash.md5`*:: -+ --- -MD5 hash. - -type: keyword - --- - -*`threat.indicator.hash.sha1`*:: -+ --- -SHA1 hash. - -type: keyword - --- - -*`threat.indicator.hash.sha256`*:: -+ --- -SHA256 hash. - -type: keyword - --- - -*`threat.indicator.hash.sha512`*:: -+ --- -SHA512 hash. - -type: keyword - --- - -*`threat.indicator.hash.ssdeep`*:: -+ --- -SSDEEP hash. - -type: keyword - --- - *`threat.indicator.ip`*:: + -- @@ -13725,84 +14061,6 @@ example: 2020-11-05T17:25:47.000Z -- -*`threat.indicator.pe.architecture`*:: -+ --- -CPU architecture target for the file. - -type: keyword - -example: x64 - --- - -*`threat.indicator.pe.company`*:: -+ --- -Internal company name of the file, provided at compile-time. - -type: keyword - -example: Microsoft Corporation - --- - -*`threat.indicator.pe.description`*:: -+ --- -Internal description of the file, provided at compile-time. - -type: keyword - -example: Paint - --- - -*`threat.indicator.pe.file_version`*:: -+ --- -Internal version of the file, provided at compile-time. - -type: keyword - -example: 6.3.9600.17415 - --- - -*`threat.indicator.pe.imphash`*:: -+ --- -A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. -Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. - -type: keyword - -example: 0c6803c4e922103c4dca5963aad36ddf - --- - -*`threat.indicator.pe.original_file_name`*:: -+ --- -Internal name of the file, provided at compile-time. - -type: keyword - -example: MSPAINT.EXE - --- - -*`threat.indicator.pe.product`*:: -+ --- -Internal product name of the file, provided at compile-time. - -type: keyword - -example: Microsoft® Windows® Operating System - --- - *`threat.indicator.port`*:: + -- @@ -13854,7 +14112,7 @@ example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). -type: keyword +type: wildcard example: ["C:\rta\red_ttp\bin\myapp.exe"] @@ -14008,7 +14266,7 @@ type: keyword -- If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. -type: keyword +type: wildcard example: https://www.elastic.co:443/search?q=elasticsearch#top @@ -14017,7 +14275,7 @@ example: https://www.elastic.co:443/search?q=elasticsearch#top *`threat.indicator.url.full.text`*:: + -- -type: text +type: match_only_text -- @@ -14028,7 +14286,7 @@ Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. -type: keyword +type: wildcard example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch @@ -14037,7 +14295,7 @@ example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elas *`threat.indicator.url.original.text`*:: + -- -type: text +type: match_only_text -- @@ -14055,7 +14313,7 @@ type: keyword -- Path of the request, such as "/search". -type: keyword +type: wildcard -- @@ -14404,10 +14662,23 @@ example: 3 -- +*`threat.software.alias`*:: ++ +-- +The alias(es) of the software for a set of related intrusion activity that are tracked by a common name in the security community. +While not required, you can use a MITRE ATT&CK® associated software description. + +type: keyword + +example: [ "X-Agent" ] + +-- + *`threat.software.id`*:: + -- -The id of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software id. +The id of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. +While not required, you can use a MITRE ATT&CK® software id. type: keyword @@ -14418,7 +14689,8 @@ example: S0552 *`threat.software.name`*:: + -- -The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software name. +The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. +While not required, you can use a MITRE ATT&CK® software name. type: keyword @@ -14429,7 +14701,7 @@ example: AdFind *`threat.software.platforms`*:: + -- -The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software platforms. +The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. Recommended Values: * AWS * Azure @@ -14442,6 +14714,8 @@ Recommended Values: * SaaS * Windows +While not required, you can use a MITRE ATT&CK® software platforms. + type: keyword example: [ "Windows" ] @@ -14451,7 +14725,8 @@ example: [ "Windows" ] *`threat.software.reference`*:: + -- -The reference URL of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software reference URL. +The reference URL of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. +While not required, you can use a MITRE ATT&CK® software reference URL. type: keyword @@ -14462,11 +14737,13 @@ example: https://attack.mitre.org/software/S0552/ *`threat.software.type`*:: + -- -The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software type. +The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. Recommended values * Malware * Tool + While not required, you can use a MITRE ATT&CK® software type. + type: keyword example: Tool @@ -14531,7 +14808,7 @@ example: Command and Scripting Interpreter *`threat.technique.name.text`*:: + -- -type: text +type: match_only_text -- @@ -14571,7 +14848,7 @@ example: PowerShell *`threat.technique.subtechnique.name.text`*:: + -- -type: text +type: match_only_text -- @@ -15519,7 +15796,7 @@ type: keyword -- If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. -type: keyword +type: wildcard example: https://www.elastic.co:443/search?q=elasticsearch#top @@ -15528,7 +15805,7 @@ example: https://www.elastic.co:443/search?q=elasticsearch#top *`url.full.text`*:: + -- -type: text +type: match_only_text -- @@ -15539,7 +15816,7 @@ Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. -type: keyword +type: wildcard example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch @@ -15548,7 +15825,7 @@ example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elas *`url.original.text`*:: + -- -type: text +type: match_only_text -- @@ -15566,7 +15843,7 @@ type: keyword -- Path of the request, such as "/search". -type: keyword +type: wildcard -- @@ -15691,7 +15968,7 @@ example: Albert Einstein *`user.changes.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -15740,6 +16017,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`user.changes.name`*:: @@ -15749,14 +16028,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`user.changes.name.text`*:: + -- -type: text +type: match_only_text -- @@ -15814,7 +16093,7 @@ example: Albert Einstein *`user.effective.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -15863,6 +16142,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`user.effective.name`*:: @@ -15872,14 +16153,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`user.effective.name.text`*:: + -- -type: text +type: match_only_text -- @@ -15917,7 +16198,7 @@ example: Albert Einstein *`user.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -15966,6 +16247,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`user.name`*:: @@ -15975,14 +16258,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`user.name.text`*:: + -- -type: text +type: match_only_text -- @@ -16030,7 +16313,7 @@ example: Albert Einstein *`user.target.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -16079,6 +16362,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`user.target.name`*:: @@ -16088,14 +16373,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`user.target.name.text`*:: + -- -type: text +type: match_only_text -- @@ -16153,7 +16438,7 @@ example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605. *`user_agent.original.text`*:: + -- -type: text +type: match_only_text -- @@ -16182,7 +16467,7 @@ example: Mac OS Mojave *`user_agent.os.full.text`*:: + -- -type: text +type: match_only_text -- @@ -16211,7 +16496,7 @@ example: Mac OS X *`user_agent.os.name.text`*:: + -- -type: text +type: match_only_text -- @@ -16335,7 +16620,7 @@ example: In macOS before 2.12.6, there is a vulnerability in the RPC... *`vulnerability.description.text`*:: + -- -type: text +type: match_only_text -- diff --git a/auditbeat/include/fields.go b/auditbeat/include/fields.go index 3f83d35a1a21..78b96b65467d 100644 --- a/auditbeat/include/fields.go +++ b/auditbeat/include/fields.go @@ -32,5 +32,5 @@ func init() { // AssetFieldsYml returns asset data. // This is the base64 encoded zlib format compressed contents of fields.yml. func AssetFieldsYml() string { - return "" + return "" } diff --git a/deploy/kubernetes/elastic-agent-standalone-kubernetes.yaml b/deploy/kubernetes/elastic-agent-standalone-kubernetes.yaml index 266dda40bdfe..fd413ee79128 100644 --- a/deploy/kubernetes/elastic-agent-standalone-kubernetes.yaml +++ b/deploy/kubernetes/elastic-agent-standalone-kubernetes.yaml @@ -196,7 +196,7 @@ data: - add_fields: target: '' fields: - ecs.version: 1.9.0 + ecs.version: 1.12.0 - data_stream: dataset: system.syslog type: logs @@ -212,7 +212,7 @@ data: - add_fields: target: '' fields: - ecs.version: 1.9.0 + ecs.version: 1.12.0 - name: container-log type: logfile use_output: default diff --git a/deploy/kubernetes/elastic-agent-standalone/elastic-agent-standalone-daemonset-configmap.yaml b/deploy/kubernetes/elastic-agent-standalone/elastic-agent-standalone-daemonset-configmap.yaml index c6b9f47aaf08..f5cb508d367c 100644 --- a/deploy/kubernetes/elastic-agent-standalone/elastic-agent-standalone-daemonset-configmap.yaml +++ b/deploy/kubernetes/elastic-agent-standalone/elastic-agent-standalone-daemonset-configmap.yaml @@ -196,7 +196,7 @@ data: - add_fields: target: '' fields: - ecs.version: 1.9.0 + ecs.version: 1.12.0 - data_stream: dataset: system.syslog type: logs @@ -212,7 +212,7 @@ data: - add_fields: target: '' fields: - ecs.version: 1.9.0 + ecs.version: 1.12.0 - name: container-log type: logfile use_output: default diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index ce8fa78718b3..c3b2e75246f8 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -34640,7 +34640,7 @@ For log events the message field contains the log message, optimized for viewing For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. -type: text +type: match_only_text example: Hello World @@ -34767,7 +34767,7 @@ example: Google LLC *`as.organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -34814,7 +34814,7 @@ example: Google LLC *`client.as.organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -35099,7 +35099,7 @@ example: Albert Einstein *`client.user.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -35148,6 +35148,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`client.user.name`*:: @@ -35157,14 +35159,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`client.user.name.text`*:: + -- -type: text +type: match_only_text -- @@ -35315,6 +35317,18 @@ example: lambda These fields contain information about binary code signatures. +*`code_signature.digest_algorithm`*:: ++ +-- +The hashing algorithm used to sign the process. +This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + +type: keyword + +example: sha256 + +-- + *`code_signature.exists`*:: + -- @@ -35373,6 +35387,17 @@ example: EQHXZ8M8AV -- +*`code_signature.timestamp`*:: ++ +-- +Date and time when the code signature was generated and signed. + +type: date + +example: 2021-01-01T12:10:30Z + +-- + *`code_signature.trusted`*:: + -- @@ -35552,7 +35577,7 @@ example: Google LLC *`destination.as.organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -35837,7 +35862,7 @@ example: Albert Einstein *`destination.user.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -35886,6 +35911,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`destination.user.name`*:: @@ -35895,14 +35922,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`destination.user.name.text`*:: + -- -type: text +type: match_only_text -- @@ -35928,6 +35955,18 @@ Many operating systems refer to "shared code libraries" with different names, bu * Dynamic library (`.dylib`) commonly used on macOS +*`dll.code_signature.digest_algorithm`*:: ++ +-- +The hashing algorithm used to sign the process. +This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + +type: keyword + +example: sha256 + +-- + *`dll.code_signature.exists`*:: + -- @@ -35986,6 +36025,17 @@ example: EQHXZ8M8AV -- +*`dll.code_signature.timestamp`*:: ++ +-- +Date and time when the code signature was generated and signed. + +type: date + +example: 2021-01-01T12:10:30Z + +-- + *`dll.code_signature.trusted`*:: + -- @@ -36709,7 +36759,7 @@ type: keyword -- Error message. -type: text +type: match_only_text -- @@ -36718,16 +36768,14 @@ type: text -- The stack trace of this error in plain text. -type: keyword - -Field is not indexed. +type: wildcard -- *`error.stack_trace.text`*:: + -- -type: text +type: match_only_text -- @@ -37094,6 +37142,18 @@ example: ["readonly", "system"] -- +*`file.code_signature.digest_algorithm`*:: ++ +-- +The hashing algorithm used to sign the process. +This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + +type: keyword + +example: sha256 + +-- + *`file.code_signature.exists`*:: + -- @@ -37152,6 +37212,17 @@ example: EQHXZ8M8AV -- +*`file.code_signature.timestamp`*:: ++ +-- +Date and time when the code signature was generated and signed. + +type: date + +example: 2021-01-01T12:10:30Z + +-- + *`file.code_signature.trusted`*:: + -- @@ -37523,6 +37594,19 @@ example: png -- +*`file.fork_name`*:: ++ +-- +A fork is additional data associated with a filesystem object. +On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist. +On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name. + +type: keyword + +example: Zone.Identifer + +-- + *`file.gid`*:: + -- @@ -37666,7 +37750,7 @@ example: /home/alice/example.png *`file.path.text`*:: + -- -type: text +type: match_only_text -- @@ -37772,7 +37856,7 @@ type: keyword *`file.target_path.text`*:: + -- -type: text +type: match_only_text -- @@ -38576,7 +38660,7 @@ example: Mac OS Mojave *`host.os.full.text`*:: + -- -type: text +type: match_only_text -- @@ -38605,7 +38689,7 @@ example: Mac OS X *`host.os.name.text`*:: + -- -type: text +type: match_only_text -- @@ -38698,7 +38782,7 @@ example: Albert Einstein *`host.user.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -38747,6 +38831,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`host.user.name`*:: @@ -38756,14 +38842,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`host.user.name.text`*:: + -- -type: text +type: match_only_text -- @@ -38802,7 +38888,7 @@ format: bytes -- The full HTTP request body. -type: keyword +type: wildcard example: Hello world @@ -38811,7 +38897,7 @@ example: Hello world *`http.request.body.content.text`*:: + -- -type: text +type: match_only_text -- @@ -38895,7 +38981,7 @@ format: bytes -- The full HTTP response body. -type: keyword +type: wildcard example: Hello world @@ -38904,7 +38990,7 @@ example: Hello world *`http.response.body.content.text`*:: + -- -type: text +type: match_only_text -- @@ -39713,7 +39799,7 @@ example: Mac OS Mojave *`observer.os.full.text`*:: + -- -type: text +type: match_only_text -- @@ -39742,7 +39828,7 @@ example: Mac OS X *`observer.os.name.text`*:: + -- -type: text +type: match_only_text -- @@ -39960,7 +40046,7 @@ type: keyword *`organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -39995,7 +40081,7 @@ example: Mac OS Mojave *`os.full.text`*:: + -- -type: text +type: match_only_text -- @@ -40024,7 +40110,7 @@ example: Mac OS X *`os.name.text`*:: + -- -type: text +type: match_only_text -- @@ -40330,6 +40416,18 @@ example: 4 -- +*`process.code_signature.digest_algorithm`*:: ++ +-- +The hashing algorithm used to sign the process. +This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + +type: keyword + +example: sha256 + +-- + *`process.code_signature.exists`*:: + -- @@ -40388,6 +40486,17 @@ example: EQHXZ8M8AV -- +*`process.code_signature.timestamp`*:: ++ +-- +Date and time when the code signature was generated and signed. + +type: date + +example: 2021-01-01T12:10:30Z + +-- + *`process.code_signature.trusted`*:: + -- @@ -40418,7 +40527,7 @@ example: true Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. -type: keyword +type: wildcard example: /usr/bin/ssh -l user 10.0.0.16 @@ -40427,7 +40536,7 @@ example: /usr/bin/ssh -l user 10.0.0.16 *`process.command_line.text`*:: + -- -type: text +type: match_only_text -- @@ -40712,6 +40821,17 @@ type: keyword -- +*`process.end`*:: ++ +-- +The time the process ended. + +type: date + +example: 2016-05-23T08:05:34.853Z + +-- + *`process.entity_id`*:: + -- @@ -40739,7 +40859,7 @@ example: /usr/bin/ssh *`process.executable.text`*:: + -- -type: text +type: match_only_text -- @@ -40815,7 +40935,7 @@ example: ssh *`process.name.text`*:: + -- -type: text +type: match_only_text -- @@ -40843,6 +40963,18 @@ example: 4 -- +*`process.parent.code_signature.digest_algorithm`*:: ++ +-- +The hashing algorithm used to sign the process. +This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + +type: keyword + +example: sha256 + +-- + *`process.parent.code_signature.exists`*:: + -- @@ -40901,6 +41033,17 @@ example: EQHXZ8M8AV -- +*`process.parent.code_signature.timestamp`*:: ++ +-- +Date and time when the code signature was generated and signed. + +type: date + +example: 2021-01-01T12:10:30Z + +-- + *`process.parent.code_signature.trusted`*:: + -- @@ -40931,7 +41074,7 @@ example: true Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. -type: keyword +type: wildcard example: /usr/bin/ssh -l user 10.0.0.16 @@ -40940,7 +41083,7 @@ example: /usr/bin/ssh -l user 10.0.0.16 *`process.parent.command_line.text`*:: + -- -type: text +type: match_only_text -- @@ -41225,6 +41368,17 @@ type: keyword -- +*`process.parent.end`*:: ++ +-- +The time the process ended. + +type: date + +example: 2016-05-23T08:05:34.853Z + +-- + *`process.parent.entity_id`*:: + -- @@ -41252,7 +41406,7 @@ example: /usr/bin/ssh *`process.parent.executable.text`*:: + -- -type: text +type: match_only_text -- @@ -41328,7 +41482,7 @@ example: ssh *`process.parent.name.text`*:: + -- -type: text +type: match_only_text -- @@ -41495,7 +41649,7 @@ type: keyword *`process.parent.title.text`*:: + -- -type: text +type: match_only_text -- @@ -41524,7 +41678,7 @@ example: /home/alice *`process.parent.working_directory.text`*:: + -- -type: text +type: match_only_text -- @@ -41691,7 +41845,7 @@ type: keyword *`process.title.text`*:: + -- -type: text +type: match_only_text -- @@ -41720,7 +41874,7 @@ example: /home/alice *`process.working_directory.text`*:: + -- -type: text +type: match_only_text -- @@ -41748,7 +41902,7 @@ example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). -type: keyword +type: wildcard example: ["C:\rta\red_ttp\bin\myapp.exe"] @@ -42014,7 +42168,7 @@ example: Google LLC *`server.as.organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -42299,7 +42453,7 @@ example: Albert Einstein *`server.user.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -42348,6 +42502,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`server.user.name`*:: @@ -42357,14 +42513,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`server.user.name.text`*:: + -- -type: text +type: match_only_text -- @@ -42386,6 +42542,30 @@ The service fields describe the service for or from which the data was collected These fields help you find and correlate logs for a specific service and version. +*`service.address`*:: ++ +-- +Address where data about this service was collected from. +This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). + +type: keyword + +example: 172.26.0.2:5432 + +-- + +*`service.environment`*:: ++ +-- +Identifies the environment where the service is running. +If the same service runs in different environments (production, staging, QA, development, etc.), the environment can identify other instances of the same service. Can also group services and applications from the same environment. + +type: keyword + +example: production + +-- + *`service.ephemeral_id`*:: + -- @@ -42513,7 +42693,7 @@ example: Google LLC *`source.as.organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -42798,7 +42978,7 @@ example: Albert Einstein *`source.user.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -42847,6 +43027,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`source.user.name`*:: @@ -42856,14 +43038,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`source.user.name.text`*:: + -- -type: text +type: match_only_text -- @@ -42928,7 +43110,7 @@ example: Google LLC *`threat.enrichments.indicator.as.organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -42992,6 +43174,18 @@ example: ["readonly", "system"] -- +*`threat.enrichments.indicator.file.code_signature.digest_algorithm`*:: ++ +-- +The hashing algorithm used to sign the process. +This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + +type: keyword + +example: sha256 + +-- + *`threat.enrichments.indicator.file.code_signature.exists`*:: + -- @@ -43050,6 +43244,17 @@ example: EQHXZ8M8AV -- +*`threat.enrichments.indicator.file.code_signature.timestamp`*:: ++ +-- +Date and time when the code signature was generated and signed. + +type: date + +example: 2021-01-01T12:10:30Z + +-- + *`threat.enrichments.indicator.file.code_signature.trusted`*:: + -- @@ -43421,6 +43626,19 @@ example: png -- +*`threat.enrichments.indicator.file.fork_name`*:: ++ +-- +A fork is additional data associated with a filesystem object. +On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist. +On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name. + +type: keyword + +example: Zone.Identifer + +-- + *`threat.enrichments.indicator.file.gid`*:: + -- @@ -43443,6 +43661,51 @@ example: alice -- +*`threat.enrichments.indicator.file.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`threat.enrichments.indicator.file.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`threat.enrichments.indicator.file.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`threat.enrichments.indicator.file.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + +*`threat.enrichments.indicator.file.hash.ssdeep`*:: ++ +-- +SSDEEP hash. + +type: keyword + +-- + *`threat.enrichments.indicator.file.inode`*:: + -- @@ -43519,15 +43782,93 @@ example: /home/alice/example.png *`threat.enrichments.indicator.file.path.text`*:: + -- -type: text +type: match_only_text -- -*`threat.enrichments.indicator.file.size`*:: +*`threat.enrichments.indicator.file.pe.architecture`*:: + -- -File size in bytes. -Only relevant when `file.type` is "file". +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + +*`threat.enrichments.indicator.file.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`threat.enrichments.indicator.file.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`threat.enrichments.indicator.file.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`threat.enrichments.indicator.file.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + +*`threat.enrichments.indicator.file.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`threat.enrichments.indicator.file.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + +*`threat.enrichments.indicator.file.size`*:: ++ +-- +File size in bytes. +Only relevant when `file.type` is "file". type: long @@ -43547,7 +43888,7 @@ type: keyword *`threat.enrichments.indicator.file.target_path.text`*:: + -- -type: text +type: match_only_text -- @@ -43708,51 +44049,6 @@ example: America/Argentina/Buenos_Aires -- -*`threat.enrichments.indicator.hash.md5`*:: -+ --- -MD5 hash. - -type: keyword - --- - -*`threat.enrichments.indicator.hash.sha1`*:: -+ --- -SHA1 hash. - -type: keyword - --- - -*`threat.enrichments.indicator.hash.sha256`*:: -+ --- -SHA256 hash. - -type: keyword - --- - -*`threat.enrichments.indicator.hash.sha512`*:: -+ --- -SHA512 hash. - -type: keyword - --- - -*`threat.enrichments.indicator.hash.ssdeep`*:: -+ --- -SSDEEP hash. - -type: keyword - --- - *`threat.enrichments.indicator.ip`*:: + -- @@ -43801,84 +44097,6 @@ example: 2020-11-05T17:25:47.000Z -- -*`threat.enrichments.indicator.pe.architecture`*:: -+ --- -CPU architecture target for the file. - -type: keyword - -example: x64 - --- - -*`threat.enrichments.indicator.pe.company`*:: -+ --- -Internal company name of the file, provided at compile-time. - -type: keyword - -example: Microsoft Corporation - --- - -*`threat.enrichments.indicator.pe.description`*:: -+ --- -Internal description of the file, provided at compile-time. - -type: keyword - -example: Paint - --- - -*`threat.enrichments.indicator.pe.file_version`*:: -+ --- -Internal version of the file, provided at compile-time. - -type: keyword - -example: 6.3.9600.17415 - --- - -*`threat.enrichments.indicator.pe.imphash`*:: -+ --- -A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. -Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. - -type: keyword - -example: 0c6803c4e922103c4dca5963aad36ddf - --- - -*`threat.enrichments.indicator.pe.original_file_name`*:: -+ --- -Internal name of the file, provided at compile-time. - -type: keyword - -example: MSPAINT.EXE - --- - -*`threat.enrichments.indicator.pe.product`*:: -+ --- -Internal product name of the file, provided at compile-time. - -type: keyword - -example: Microsoft® Windows® Operating System - --- - *`threat.enrichments.indicator.port`*:: + -- @@ -43930,7 +44148,7 @@ example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). -type: keyword +type: wildcard example: ["C:\rta\red_ttp\bin\myapp.exe"] @@ -44083,7 +44301,7 @@ type: keyword -- If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. -type: keyword +type: wildcard example: https://www.elastic.co:443/search?q=elasticsearch#top @@ -44092,7 +44310,7 @@ example: https://www.elastic.co:443/search?q=elasticsearch#top *`threat.enrichments.indicator.url.full.text`*:: + -- -type: text +type: match_only_text -- @@ -44103,7 +44321,7 @@ Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. -type: keyword +type: wildcard example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch @@ -44112,7 +44330,7 @@ example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elas *`threat.enrichments.indicator.url.original.text`*:: + -- -type: text +type: match_only_text -- @@ -44130,7 +44348,7 @@ type: keyword -- Path of the request, such as "/search". -type: keyword +type: wildcard -- @@ -44548,7 +44766,8 @@ example: MITRE ATT&CK *`threat.group.alias`*:: + -- -The alias(es) of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group alias(es). +The alias(es) of the group for a set of related intrusion activity that are tracked by a common name in the security community. +While not required, you can use a MITRE ATT&CK® group alias(es). type: keyword @@ -44559,7 +44778,8 @@ example: [ "Magecart Group 6" ] *`threat.group.id`*:: + -- -The id of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group id. +The id of the group for a set of related intrusion activity that are tracked by a common name in the security community. +While not required, you can use a MITRE ATT&CK® group id. type: keyword @@ -44570,7 +44790,8 @@ example: G0037 *`threat.group.name`*:: + -- -The name of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group name. +The name of the group for a set of related intrusion activity that are tracked by a common name in the security community. +While not required, you can use a MITRE ATT&CK® group name. type: keyword @@ -44581,7 +44802,8 @@ example: FIN6 *`threat.group.reference`*:: + -- -The reference URL of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group reference URL. +The reference URL of the group for a set of related intrusion activity that are tracked by a common name in the security community. +While not required, you can use a MITRE ATT&CK® group reference URL. type: keyword @@ -44614,7 +44836,7 @@ example: Google LLC *`threat.indicator.as.organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -44679,6 +44901,18 @@ example: ["readonly", "system"] -- +*`threat.indicator.file.code_signature.digest_algorithm`*:: ++ +-- +The hashing algorithm used to sign the process. +This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + +type: keyword + +example: sha256 + +-- + *`threat.indicator.file.code_signature.exists`*:: + -- @@ -44737,6 +44971,17 @@ example: EQHXZ8M8AV -- +*`threat.indicator.file.code_signature.timestamp`*:: ++ +-- +Date and time when the code signature was generated and signed. + +type: date + +example: 2021-01-01T12:10:30Z + +-- + *`threat.indicator.file.code_signature.trusted`*:: + -- @@ -45108,6 +45353,19 @@ example: png -- +*`threat.indicator.file.fork_name`*:: ++ +-- +A fork is additional data associated with a filesystem object. +On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist. +On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name. + +type: keyword + +example: Zone.Identifer + +-- + *`threat.indicator.file.gid`*:: + -- @@ -45130,6 +45388,51 @@ example: alice -- +*`threat.indicator.file.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`threat.indicator.file.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`threat.indicator.file.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`threat.indicator.file.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + +*`threat.indicator.file.hash.ssdeep`*:: ++ +-- +SSDEEP hash. + +type: keyword + +-- + *`threat.indicator.file.inode`*:: + -- @@ -45206,7 +45509,85 @@ example: /home/alice/example.png *`threat.indicator.file.path.text`*:: + -- -type: text +type: match_only_text + +-- + +*`threat.indicator.file.pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + +*`threat.indicator.file.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`threat.indicator.file.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`threat.indicator.file.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`threat.indicator.file.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + +*`threat.indicator.file.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`threat.indicator.file.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System -- @@ -45234,7 +45615,7 @@ type: keyword *`threat.indicator.file.target_path.text`*:: + -- -type: text +type: match_only_text -- @@ -45395,51 +45776,6 @@ example: America/Argentina/Buenos_Aires -- -*`threat.indicator.hash.md5`*:: -+ --- -MD5 hash. - -type: keyword - --- - -*`threat.indicator.hash.sha1`*:: -+ --- -SHA1 hash. - -type: keyword - --- - -*`threat.indicator.hash.sha256`*:: -+ --- -SHA256 hash. - -type: keyword - --- - -*`threat.indicator.hash.sha512`*:: -+ --- -SHA512 hash. - -type: keyword - --- - -*`threat.indicator.hash.ssdeep`*:: -+ --- -SSDEEP hash. - -type: keyword - --- - *`threat.indicator.ip`*:: + -- @@ -45489,84 +45825,6 @@ example: 2020-11-05T17:25:47.000Z -- -*`threat.indicator.pe.architecture`*:: -+ --- -CPU architecture target for the file. - -type: keyword - -example: x64 - --- - -*`threat.indicator.pe.company`*:: -+ --- -Internal company name of the file, provided at compile-time. - -type: keyword - -example: Microsoft Corporation - --- - -*`threat.indicator.pe.description`*:: -+ --- -Internal description of the file, provided at compile-time. - -type: keyword - -example: Paint - --- - -*`threat.indicator.pe.file_version`*:: -+ --- -Internal version of the file, provided at compile-time. - -type: keyword - -example: 6.3.9600.17415 - --- - -*`threat.indicator.pe.imphash`*:: -+ --- -A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. -Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. - -type: keyword - -example: 0c6803c4e922103c4dca5963aad36ddf - --- - -*`threat.indicator.pe.original_file_name`*:: -+ --- -Internal name of the file, provided at compile-time. - -type: keyword - -example: MSPAINT.EXE - --- - -*`threat.indicator.pe.product`*:: -+ --- -Internal product name of the file, provided at compile-time. - -type: keyword - -example: Microsoft® Windows® Operating System - --- - *`threat.indicator.port`*:: + -- @@ -45618,7 +45876,7 @@ example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). -type: keyword +type: wildcard example: ["C:\rta\red_ttp\bin\myapp.exe"] @@ -45772,7 +46030,7 @@ type: keyword -- If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. -type: keyword +type: wildcard example: https://www.elastic.co:443/search?q=elasticsearch#top @@ -45781,7 +46039,7 @@ example: https://www.elastic.co:443/search?q=elasticsearch#top *`threat.indicator.url.full.text`*:: + -- -type: text +type: match_only_text -- @@ -45792,7 +46050,7 @@ Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. -type: keyword +type: wildcard example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch @@ -45801,7 +46059,7 @@ example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elas *`threat.indicator.url.original.text`*:: + -- -type: text +type: match_only_text -- @@ -45819,7 +46077,7 @@ type: keyword -- Path of the request, such as "/search". -type: keyword +type: wildcard -- @@ -46168,10 +46426,23 @@ example: 3 -- +*`threat.software.alias`*:: ++ +-- +The alias(es) of the software for a set of related intrusion activity that are tracked by a common name in the security community. +While not required, you can use a MITRE ATT&CK® associated software description. + +type: keyword + +example: [ "X-Agent" ] + +-- + *`threat.software.id`*:: + -- -The id of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software id. +The id of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. +While not required, you can use a MITRE ATT&CK® software id. type: keyword @@ -46182,7 +46453,8 @@ example: S0552 *`threat.software.name`*:: + -- -The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software name. +The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. +While not required, you can use a MITRE ATT&CK® software name. type: keyword @@ -46193,7 +46465,7 @@ example: AdFind *`threat.software.platforms`*:: + -- -The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software platforms. +The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. Recommended Values: * AWS * Azure @@ -46206,6 +46478,8 @@ Recommended Values: * SaaS * Windows +While not required, you can use a MITRE ATT&CK® software platforms. + type: keyword example: [ "Windows" ] @@ -46215,7 +46489,8 @@ example: [ "Windows" ] *`threat.software.reference`*:: + -- -The reference URL of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software reference URL. +The reference URL of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. +While not required, you can use a MITRE ATT&CK® software reference URL. type: keyword @@ -46226,11 +46501,13 @@ example: https://attack.mitre.org/software/S0552/ *`threat.software.type`*:: + -- -The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software type. +The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. Recommended values * Malware * Tool + While not required, you can use a MITRE ATT&CK® software type. + type: keyword example: Tool @@ -46295,7 +46572,7 @@ example: Command and Scripting Interpreter *`threat.technique.name.text`*:: + -- -type: text +type: match_only_text -- @@ -46335,7 +46612,7 @@ example: PowerShell *`threat.technique.subtechnique.name.text`*:: + -- -type: text +type: match_only_text -- @@ -47283,7 +47560,7 @@ type: keyword -- If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. -type: keyword +type: wildcard example: https://www.elastic.co:443/search?q=elasticsearch#top @@ -47292,7 +47569,7 @@ example: https://www.elastic.co:443/search?q=elasticsearch#top *`url.full.text`*:: + -- -type: text +type: match_only_text -- @@ -47303,7 +47580,7 @@ Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. -type: keyword +type: wildcard example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch @@ -47312,7 +47589,7 @@ example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elas *`url.original.text`*:: + -- -type: text +type: match_only_text -- @@ -47330,7 +47607,7 @@ type: keyword -- Path of the request, such as "/search". -type: keyword +type: wildcard -- @@ -47455,7 +47732,7 @@ example: Albert Einstein *`user.changes.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -47504,6 +47781,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`user.changes.name`*:: @@ -47513,14 +47792,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`user.changes.name.text`*:: + -- -type: text +type: match_only_text -- @@ -47578,7 +47857,7 @@ example: Albert Einstein *`user.effective.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -47627,6 +47906,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`user.effective.name`*:: @@ -47636,14 +47917,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`user.effective.name.text`*:: + -- -type: text +type: match_only_text -- @@ -47681,7 +47962,7 @@ example: Albert Einstein *`user.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -47730,6 +48011,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`user.name`*:: @@ -47739,14 +48022,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`user.name.text`*:: + -- -type: text +type: match_only_text -- @@ -47794,7 +48077,7 @@ example: Albert Einstein *`user.target.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -47843,6 +48126,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`user.target.name`*:: @@ -47852,14 +48137,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`user.target.name.text`*:: + -- -type: text +type: match_only_text -- @@ -47917,7 +48202,7 @@ example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605. *`user_agent.original.text`*:: + -- -type: text +type: match_only_text -- @@ -47946,7 +48231,7 @@ example: Mac OS Mojave *`user_agent.os.full.text`*:: + -- -type: text +type: match_only_text -- @@ -47975,7 +48260,7 @@ example: Mac OS X *`user_agent.os.name.text`*:: + -- -type: text +type: match_only_text -- @@ -48099,7 +48384,7 @@ example: In macOS before 2.12.6, there is a vulnerability in the RPC... *`vulnerability.description.text`*:: + -- -type: text +type: match_only_text -- diff --git a/filebeat/include/fields.go b/filebeat/include/fields.go index 49136b028792..bb2b68651487 100644 --- a/filebeat/include/fields.go +++ b/filebeat/include/fields.go @@ -32,5 +32,5 @@ func init() { // AssetFieldsYml returns asset data. // This is the base64 encoded zlib format compressed contents of fields.yml. func AssetFieldsYml() string { - return "" + return "" } diff --git a/filebeat/module/apache/access/config/access.yml b/filebeat/module/apache/access/config/access.yml index ebfd7a2dacc1..c2bd5732c925 100644 --- a/filebeat/module/apache/access/config/access.yml +++ b/filebeat/module/apache/access/config/access.yml @@ -8,4 +8,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/filebeat/module/apache/error/config/error.yml b/filebeat/module/apache/error/config/error.yml index 6dac19ecc890..57a90c2ffd8a 100644 --- a/filebeat/module/apache/error/config/error.yml +++ b/filebeat/module/apache/error/config/error.yml @@ -10,4 +10,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/filebeat/module/auditd/log/config/log.yml b/filebeat/module/auditd/log/config/log.yml index ebfd7a2dacc1..c2bd5732c925 100644 --- a/filebeat/module/auditd/log/config/log.yml +++ b/filebeat/module/auditd/log/config/log.yml @@ -8,4 +8,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/filebeat/module/elasticsearch/audit/config/audit.yml b/filebeat/module/elasticsearch/audit/config/audit.yml index cc63543fc500..c1b7bbeb4fab 100644 --- a/filebeat/module/elasticsearch/audit/config/audit.yml +++ b/filebeat/module/elasticsearch/audit/config/audit.yml @@ -10,7 +10,7 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 - if: regexp: message: "^{" diff --git a/filebeat/module/elasticsearch/deprecation/config/log.yml b/filebeat/module/elasticsearch/deprecation/config/log.yml index 61d1fc32e9dd..9b1600f7e48c 100644 --- a/filebeat/module/elasticsearch/deprecation/config/log.yml +++ b/filebeat/module/elasticsearch/deprecation/config/log.yml @@ -15,4 +15,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/filebeat/module/elasticsearch/gc/config/gc.yml b/filebeat/module/elasticsearch/gc/config/gc.yml index 3c21b140cf93..9156ebbbced8 100644 --- a/filebeat/module/elasticsearch/gc/config/gc.yml +++ b/filebeat/module/elasticsearch/gc/config/gc.yml @@ -13,4 +13,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/filebeat/module/elasticsearch/server/config/log.yml b/filebeat/module/elasticsearch/server/config/log.yml index 1156b25def00..d48b9e49798b 100644 --- a/filebeat/module/elasticsearch/server/config/log.yml +++ b/filebeat/module/elasticsearch/server/config/log.yml @@ -15,4 +15,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/filebeat/module/elasticsearch/slowlog/config/slowlog.yml b/filebeat/module/elasticsearch/slowlog/config/slowlog.yml index 76e0b00488a2..ed6ff3cf49fc 100644 --- a/filebeat/module/elasticsearch/slowlog/config/slowlog.yml +++ b/filebeat/module/elasticsearch/slowlog/config/slowlog.yml @@ -16,4 +16,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/filebeat/module/haproxy/log/config/file.yml b/filebeat/module/haproxy/log/config/file.yml index c39345acad84..36b8d4138594 100644 --- a/filebeat/module/haproxy/log/config/file.yml +++ b/filebeat/module/haproxy/log/config/file.yml @@ -9,4 +9,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/filebeat/module/haproxy/log/config/syslog.yml b/filebeat/module/haproxy/log/config/syslog.yml index 823d24c10d25..921cb440ba28 100644 --- a/filebeat/module/haproxy/log/config/syslog.yml +++ b/filebeat/module/haproxy/log/config/syslog.yml @@ -6,4 +6,4 @@ processors: - add_fields: target: "" fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/filebeat/module/icinga/debug/config/debug.yml b/filebeat/module/icinga/debug/config/debug.yml index 145564c8f894..c4bdfdd634cd 100644 --- a/filebeat/module/icinga/debug/config/debug.yml +++ b/filebeat/module/icinga/debug/config/debug.yml @@ -12,4 +12,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/filebeat/module/icinga/main/config/main.yml b/filebeat/module/icinga/main/config/main.yml index 145564c8f894..c4bdfdd634cd 100644 --- a/filebeat/module/icinga/main/config/main.yml +++ b/filebeat/module/icinga/main/config/main.yml @@ -12,4 +12,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/filebeat/module/icinga/startup/config/startup.yml b/filebeat/module/icinga/startup/config/startup.yml index d285231527d4..e69066373d44 100644 --- a/filebeat/module/icinga/startup/config/startup.yml +++ b/filebeat/module/icinga/startup/config/startup.yml @@ -12,4 +12,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/filebeat/module/iis/access/config/iis-access.yml b/filebeat/module/iis/access/config/iis-access.yml index 6c768463da2c..4742e29eb1ca 100644 --- a/filebeat/module/iis/access/config/iis-access.yml +++ b/filebeat/module/iis/access/config/iis-access.yml @@ -9,4 +9,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/filebeat/module/iis/error/config/iis-error.yml b/filebeat/module/iis/error/config/iis-error.yml index 6c768463da2c..4742e29eb1ca 100644 --- a/filebeat/module/iis/error/config/iis-error.yml +++ b/filebeat/module/iis/error/config/iis-error.yml @@ -9,4 +9,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/filebeat/module/kafka/log/config/log.yml b/filebeat/module/kafka/log/config/log.yml index c69ead601e73..0eb158ad0508 100644 --- a/filebeat/module/kafka/log/config/log.yml +++ b/filebeat/module/kafka/log/config/log.yml @@ -13,4 +13,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/filebeat/module/kibana/audit/config/audit.yml b/filebeat/module/kibana/audit/config/audit.yml index b783a5681941..c19e286a14a8 100644 --- a/filebeat/module/kibana/audit/config/audit.yml +++ b/filebeat/module/kibana/audit/config/audit.yml @@ -10,7 +10,7 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 - decode_json_fields: fields: [message] target: kibana._audit_temp diff --git a/filebeat/module/kibana/log/config/log.yml b/filebeat/module/kibana/log/config/log.yml index cc0ee0b620bb..ea397290dc1d 100644 --- a/filebeat/module/kibana/log/config/log.yml +++ b/filebeat/module/kibana/log/config/log.yml @@ -11,4 +11,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/filebeat/module/logstash/log/config/log.yml b/filebeat/module/logstash/log/config/log.yml index 82df41d3cc86..78ec61cb4c9b 100644 --- a/filebeat/module/logstash/log/config/log.yml +++ b/filebeat/module/logstash/log/config/log.yml @@ -16,4 +16,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/filebeat/module/logstash/slowlog/config/slowlog.yml b/filebeat/module/logstash/slowlog/config/slowlog.yml index 865d4fb0c5c9..9c9fce11dc3c 100644 --- a/filebeat/module/logstash/slowlog/config/slowlog.yml +++ b/filebeat/module/logstash/slowlog/config/slowlog.yml @@ -11,4 +11,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/filebeat/module/mongodb/log/config/log.yml b/filebeat/module/mongodb/log/config/log.yml index ebfd7a2dacc1..c2bd5732c925 100644 --- a/filebeat/module/mongodb/log/config/log.yml +++ b/filebeat/module/mongodb/log/config/log.yml @@ -8,4 +8,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/filebeat/module/mysql/error/config/error.yml b/filebeat/module/mysql/error/config/error.yml index ea292d85cde1..b879e02a5e6f 100644 --- a/filebeat/module/mysql/error/config/error.yml +++ b/filebeat/module/mysql/error/config/error.yml @@ -16,4 +16,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/filebeat/module/mysql/slowlog/config/slowlog.yml b/filebeat/module/mysql/slowlog/config/slowlog.yml index eea95cc786cb..a8f85af8f2fd 100644 --- a/filebeat/module/mysql/slowlog/config/slowlog.yml +++ b/filebeat/module/mysql/slowlog/config/slowlog.yml @@ -13,4 +13,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/filebeat/module/nats/log/config/log.yml b/filebeat/module/nats/log/config/log.yml index ebfd7a2dacc1..c2bd5732c925 100644 --- a/filebeat/module/nats/log/config/log.yml +++ b/filebeat/module/nats/log/config/log.yml @@ -8,4 +8,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/filebeat/module/nginx/access/config/nginx-access.yml b/filebeat/module/nginx/access/config/nginx-access.yml index 6dac19ecc890..57a90c2ffd8a 100644 --- a/filebeat/module/nginx/access/config/nginx-access.yml +++ b/filebeat/module/nginx/access/config/nginx-access.yml @@ -10,4 +10,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/filebeat/module/nginx/error/config/nginx-error.yml b/filebeat/module/nginx/error/config/nginx-error.yml index 3600cb603cab..f2bc4f575099 100644 --- a/filebeat/module/nginx/error/config/nginx-error.yml +++ b/filebeat/module/nginx/error/config/nginx-error.yml @@ -14,4 +14,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/filebeat/module/nginx/ingress_controller/config/ingress_controller.yml b/filebeat/module/nginx/ingress_controller/config/ingress_controller.yml index 6dac19ecc890..57a90c2ffd8a 100644 --- a/filebeat/module/nginx/ingress_controller/config/ingress_controller.yml +++ b/filebeat/module/nginx/ingress_controller/config/ingress_controller.yml @@ -10,4 +10,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/filebeat/module/osquery/result/config/result.yml b/filebeat/module/osquery/result/config/result.yml index b06004ee0939..e61000c00827 100644 --- a/filebeat/module/osquery/result/config/result.yml +++ b/filebeat/module/osquery/result/config/result.yml @@ -10,4 +10,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/filebeat/module/pensando/dfw/config/dfw.yml b/filebeat/module/pensando/dfw/config/dfw.yml index 4a3a5eb6a7bf..a9ff71a52c97 100644 --- a/filebeat/module/pensando/dfw/config/dfw.yml +++ b/filebeat/module/pensando/dfw/config/dfw.yml @@ -20,4 +20,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/filebeat/module/postgresql/log/config/log.yml b/filebeat/module/postgresql/log/config/log.yml index 6239b8378231..937d507f8240 100644 --- a/filebeat/module/postgresql/log/config/log.yml +++ b/filebeat/module/postgresql/log/config/log.yml @@ -12,4 +12,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/filebeat/module/redis/log/config/log.yml b/filebeat/module/redis/log/config/log.yml index d7214fea25ba..b05f5dbac95d 100644 --- a/filebeat/module/redis/log/config/log.yml +++ b/filebeat/module/redis/log/config/log.yml @@ -9,4 +9,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/filebeat/module/redis/slowlog/config/slowlog.yml b/filebeat/module/redis/slowlog/config/slowlog.yml index 831944df7feb..1b4b90ced78c 100644 --- a/filebeat/module/redis/slowlog/config/slowlog.yml +++ b/filebeat/module/redis/slowlog/config/slowlog.yml @@ -8,4 +8,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/filebeat/module/santa/log/config/file.yml b/filebeat/module/santa/log/config/file.yml index ebfd7a2dacc1..c2bd5732c925 100644 --- a/filebeat/module/santa/log/config/file.yml +++ b/filebeat/module/santa/log/config/file.yml @@ -8,4 +8,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/filebeat/module/system/auth/config/auth.yml b/filebeat/module/system/auth/config/auth.yml index d02a7e65c7bb..e7f238d8af83 100644 --- a/filebeat/module/system/auth/config/auth.yml +++ b/filebeat/module/system/auth/config/auth.yml @@ -12,4 +12,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/filebeat/module/system/syslog/config/syslog.yml b/filebeat/module/system/syslog/config/syslog.yml index d02a7e65c7bb..e7f238d8af83 100644 --- a/filebeat/module/system/syslog/config/syslog.yml +++ b/filebeat/module/system/syslog/config/syslog.yml @@ -12,4 +12,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/filebeat/module/traefik/access/config/traefik-access.yml b/filebeat/module/traefik/access/config/traefik-access.yml index ebfd7a2dacc1..c2bd5732c925 100644 --- a/filebeat/module/traefik/access/config/traefik-access.yml +++ b/filebeat/module/traefik/access/config/traefik-access.yml @@ -8,4 +8,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/go.mod b/go.mod index d582d64be694..b7d94605e6e5 100644 --- a/go.mod +++ b/go.mod @@ -61,7 +61,7 @@ require ( github.com/dustin/go-humanize v1.0.0 github.com/eapache/go-resiliency v1.2.0 github.com/eclipse/paho.mqtt.golang v1.3.5 - github.com/elastic/ecs v1.11.0 + github.com/elastic/ecs v1.12.0 github.com/elastic/elastic-agent-client/v7 v7.0.0-20210727140539-f0905d9377f6 github.com/elastic/go-concert v0.2.0 github.com/elastic/go-libaudit/v2 v2.2.0 diff --git a/go.sum b/go.sum index 486efae8af43..4e9fba51ae67 100644 --- a/go.sum +++ b/go.sum @@ -249,8 +249,8 @@ github.com/eclipse/paho.mqtt.golang v1.3.5 h1:sWtmgNxYM9P2sP+xEItMozsR3w0cqZFlqn github.com/eclipse/paho.mqtt.golang v1.3.5/go.mod h1:eTzb4gxwwyWpqBUHGQZ4ABAV7+Jgm1PklsYT/eo8Hcc= github.com/elastic/dhcp v0.0.0-20200227161230-57ec251c7eb3 h1:lnDkqiRFKm0rxdljqrj3lotWinO9+jFmeDXIC4gvIQs= github.com/elastic/dhcp v0.0.0-20200227161230-57ec251c7eb3/go.mod h1:aPqzac6AYkipvp4hufTyMj5PDIphF3+At8zr7r51xjY= -github.com/elastic/ecs v1.11.0 h1:eqcKejxlTzy+6TsCIkd0aBnKHEQOkSfeXnu+pmGYMUY= -github.com/elastic/ecs v1.11.0/go.mod h1:pgiLbQsijLOJvFR8OTILLu0Ni/R/foUNg0L+T6mU9b4= +github.com/elastic/ecs v1.12.0 h1:u6WZ2AWtxv5vHvTQ4EuVZdWZ51mKHQ2UIltRePcta5U= +github.com/elastic/ecs v1.12.0/go.mod h1:pgiLbQsijLOJvFR8OTILLu0Ni/R/foUNg0L+T6mU9b4= github.com/elastic/elastic-agent-client/v7 v7.0.0-20210727140539-f0905d9377f6 h1:nFvXHBjYK3e9+xF0WKDeAKK4aOO51uC28s+L9rBmilo= github.com/elastic/elastic-agent-client/v7 v7.0.0-20210727140539-f0905d9377f6/go.mod h1:uh/Gj9a0XEbYoM4NYz4LvaBVARz3QXLmlNjsrKY9fTc= github.com/elastic/fsevents v0.0.0-20181029231046-e1d381a4d270 h1:cWPqxlPtir4RoQVCpGSRXmLqjEHpJKbR60rxh1nQZY4= diff --git a/heartbeat/cmd/root.go b/heartbeat/cmd/root.go index 804ebe58a19d..d1c2a29b637e 100644 --- a/heartbeat/cmd/root.go +++ b/heartbeat/cmd/root.go @@ -41,7 +41,7 @@ const ( Name = "heartbeat" // ecsVersion specifies the version of ECS that this beat is implementing. - ecsVersion = "1.11.0" + ecsVersion = "1.12.0" ) // RootCmd to handle beats cli diff --git a/heartbeat/docs/fields.asciidoc b/heartbeat/docs/fields.asciidoc index d0cdc27d84ae..fddd1b41649d 100644 --- a/heartbeat/docs/fields.asciidoc +++ b/heartbeat/docs/fields.asciidoc @@ -408,7 +408,7 @@ For log events the message field contains the log message, optimized for viewing For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. -type: text +type: match_only_text example: Hello World @@ -535,7 +535,7 @@ example: Google LLC *`as.organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -582,7 +582,7 @@ example: Google LLC *`client.as.organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -867,7 +867,7 @@ example: Albert Einstein *`client.user.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -916,6 +916,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`client.user.name`*:: @@ -925,14 +927,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`client.user.name.text`*:: + -- -type: text +type: match_only_text -- @@ -1083,6 +1085,18 @@ example: lambda These fields contain information about binary code signatures. +*`code_signature.digest_algorithm`*:: ++ +-- +The hashing algorithm used to sign the process. +This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + +type: keyword + +example: sha256 + +-- + *`code_signature.exists`*:: + -- @@ -1141,6 +1155,17 @@ example: EQHXZ8M8AV -- +*`code_signature.timestamp`*:: ++ +-- +Date and time when the code signature was generated and signed. + +type: date + +example: 2021-01-01T12:10:30Z + +-- + *`code_signature.trusted`*:: + -- @@ -1320,7 +1345,7 @@ example: Google LLC *`destination.as.organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -1605,7 +1630,7 @@ example: Albert Einstein *`destination.user.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -1654,6 +1679,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`destination.user.name`*:: @@ -1663,14 +1690,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`destination.user.name.text`*:: + -- -type: text +type: match_only_text -- @@ -1696,6 +1723,18 @@ Many operating systems refer to "shared code libraries" with different names, bu * Dynamic library (`.dylib`) commonly used on macOS +*`dll.code_signature.digest_algorithm`*:: ++ +-- +The hashing algorithm used to sign the process. +This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + +type: keyword + +example: sha256 + +-- + *`dll.code_signature.exists`*:: + -- @@ -1754,6 +1793,17 @@ example: EQHXZ8M8AV -- +*`dll.code_signature.timestamp`*:: ++ +-- +Date and time when the code signature was generated and signed. + +type: date + +example: 2021-01-01T12:10:30Z + +-- + *`dll.code_signature.trusted`*:: + -- @@ -2477,7 +2527,7 @@ type: keyword -- Error message. -type: text +type: match_only_text -- @@ -2486,16 +2536,14 @@ type: text -- The stack trace of this error in plain text. -type: keyword - -Field is not indexed. +type: wildcard -- *`error.stack_trace.text`*:: + -- -type: text +type: match_only_text -- @@ -2862,6 +2910,18 @@ example: ["readonly", "system"] -- +*`file.code_signature.digest_algorithm`*:: ++ +-- +The hashing algorithm used to sign the process. +This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + +type: keyword + +example: sha256 + +-- + *`file.code_signature.exists`*:: + -- @@ -2920,6 +2980,17 @@ example: EQHXZ8M8AV -- +*`file.code_signature.timestamp`*:: ++ +-- +Date and time when the code signature was generated and signed. + +type: date + +example: 2021-01-01T12:10:30Z + +-- + *`file.code_signature.trusted`*:: + -- @@ -3291,6 +3362,19 @@ example: png -- +*`file.fork_name`*:: ++ +-- +A fork is additional data associated with a filesystem object. +On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist. +On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name. + +type: keyword + +example: Zone.Identifer + +-- + *`file.gid`*:: + -- @@ -3434,7 +3518,7 @@ example: /home/alice/example.png *`file.path.text`*:: + -- -type: text +type: match_only_text -- @@ -3540,7 +3624,7 @@ type: keyword *`file.target_path.text`*:: + -- -type: text +type: match_only_text -- @@ -4344,7 +4428,7 @@ example: Mac OS Mojave *`host.os.full.text`*:: + -- -type: text +type: match_only_text -- @@ -4373,7 +4457,7 @@ example: Mac OS X *`host.os.name.text`*:: + -- -type: text +type: match_only_text -- @@ -4466,7 +4550,7 @@ example: Albert Einstein *`host.user.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -4515,6 +4599,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`host.user.name`*:: @@ -4524,14 +4610,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`host.user.name.text`*:: + -- -type: text +type: match_only_text -- @@ -4570,7 +4656,7 @@ format: bytes -- The full HTTP request body. -type: keyword +type: wildcard example: Hello world @@ -4579,7 +4665,7 @@ example: Hello world *`http.request.body.content.text`*:: + -- -type: text +type: match_only_text -- @@ -4663,7 +4749,7 @@ format: bytes -- The full HTTP response body. -type: keyword +type: wildcard example: Hello world @@ -4672,7 +4758,7 @@ example: Hello world *`http.response.body.content.text`*:: + -- -type: text +type: match_only_text -- @@ -5481,7 +5567,7 @@ example: Mac OS Mojave *`observer.os.full.text`*:: + -- -type: text +type: match_only_text -- @@ -5510,7 +5596,7 @@ example: Mac OS X *`observer.os.name.text`*:: + -- -type: text +type: match_only_text -- @@ -5728,7 +5814,7 @@ type: keyword *`organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -5763,7 +5849,7 @@ example: Mac OS Mojave *`os.full.text`*:: + -- -type: text +type: match_only_text -- @@ -5792,7 +5878,7 @@ example: Mac OS X *`os.name.text`*:: + -- -type: text +type: match_only_text -- @@ -6098,6 +6184,18 @@ example: 4 -- +*`process.code_signature.digest_algorithm`*:: ++ +-- +The hashing algorithm used to sign the process. +This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + +type: keyword + +example: sha256 + +-- + *`process.code_signature.exists`*:: + -- @@ -6156,6 +6254,17 @@ example: EQHXZ8M8AV -- +*`process.code_signature.timestamp`*:: ++ +-- +Date and time when the code signature was generated and signed. + +type: date + +example: 2021-01-01T12:10:30Z + +-- + *`process.code_signature.trusted`*:: + -- @@ -6186,7 +6295,7 @@ example: true Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. -type: keyword +type: wildcard example: /usr/bin/ssh -l user 10.0.0.16 @@ -6195,7 +6304,7 @@ example: /usr/bin/ssh -l user 10.0.0.16 *`process.command_line.text`*:: + -- -type: text +type: match_only_text -- @@ -6480,6 +6589,17 @@ type: keyword -- +*`process.end`*:: ++ +-- +The time the process ended. + +type: date + +example: 2016-05-23T08:05:34.853Z + +-- + *`process.entity_id`*:: + -- @@ -6507,7 +6627,7 @@ example: /usr/bin/ssh *`process.executable.text`*:: + -- -type: text +type: match_only_text -- @@ -6583,7 +6703,7 @@ example: ssh *`process.name.text`*:: + -- -type: text +type: match_only_text -- @@ -6611,6 +6731,18 @@ example: 4 -- +*`process.parent.code_signature.digest_algorithm`*:: ++ +-- +The hashing algorithm used to sign the process. +This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + +type: keyword + +example: sha256 + +-- + *`process.parent.code_signature.exists`*:: + -- @@ -6669,6 +6801,17 @@ example: EQHXZ8M8AV -- +*`process.parent.code_signature.timestamp`*:: ++ +-- +Date and time when the code signature was generated and signed. + +type: date + +example: 2021-01-01T12:10:30Z + +-- + *`process.parent.code_signature.trusted`*:: + -- @@ -6699,7 +6842,7 @@ example: true Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. -type: keyword +type: wildcard example: /usr/bin/ssh -l user 10.0.0.16 @@ -6708,7 +6851,7 @@ example: /usr/bin/ssh -l user 10.0.0.16 *`process.parent.command_line.text`*:: + -- -type: text +type: match_only_text -- @@ -6993,6 +7136,17 @@ type: keyword -- +*`process.parent.end`*:: ++ +-- +The time the process ended. + +type: date + +example: 2016-05-23T08:05:34.853Z + +-- + *`process.parent.entity_id`*:: + -- @@ -7020,7 +7174,7 @@ example: /usr/bin/ssh *`process.parent.executable.text`*:: + -- -type: text +type: match_only_text -- @@ -7096,7 +7250,7 @@ example: ssh *`process.parent.name.text`*:: + -- -type: text +type: match_only_text -- @@ -7263,7 +7417,7 @@ type: keyword *`process.parent.title.text`*:: + -- -type: text +type: match_only_text -- @@ -7292,7 +7446,7 @@ example: /home/alice *`process.parent.working_directory.text`*:: + -- -type: text +type: match_only_text -- @@ -7459,7 +7613,7 @@ type: keyword *`process.title.text`*:: + -- -type: text +type: match_only_text -- @@ -7488,7 +7642,7 @@ example: /home/alice *`process.working_directory.text`*:: + -- -type: text +type: match_only_text -- @@ -7516,7 +7670,7 @@ example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). -type: keyword +type: wildcard example: ["C:\rta\red_ttp\bin\myapp.exe"] @@ -7782,7 +7936,7 @@ example: Google LLC *`server.as.organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -8067,7 +8221,7 @@ example: Albert Einstein *`server.user.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -8116,6 +8270,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`server.user.name`*:: @@ -8125,14 +8281,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`server.user.name.text`*:: + -- -type: text +type: match_only_text -- @@ -8154,6 +8310,30 @@ The service fields describe the service for or from which the data was collected These fields help you find and correlate logs for a specific service and version. +*`service.address`*:: ++ +-- +Address where data about this service was collected from. +This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). + +type: keyword + +example: 172.26.0.2:5432 + +-- + +*`service.environment`*:: ++ +-- +Identifies the environment where the service is running. +If the same service runs in different environments (production, staging, QA, development, etc.), the environment can identify other instances of the same service. Can also group services and applications from the same environment. + +type: keyword + +example: production + +-- + *`service.ephemeral_id`*:: + -- @@ -8281,7 +8461,7 @@ example: Google LLC *`source.as.organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -8566,7 +8746,7 @@ example: Albert Einstein *`source.user.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -8615,6 +8795,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`source.user.name`*:: @@ -8624,14 +8806,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`source.user.name.text`*:: + -- -type: text +type: match_only_text -- @@ -8696,7 +8878,7 @@ example: Google LLC *`threat.enrichments.indicator.as.organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -8760,6 +8942,18 @@ example: ["readonly", "system"] -- +*`threat.enrichments.indicator.file.code_signature.digest_algorithm`*:: ++ +-- +The hashing algorithm used to sign the process. +This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + +type: keyword + +example: sha256 + +-- + *`threat.enrichments.indicator.file.code_signature.exists`*:: + -- @@ -8818,6 +9012,17 @@ example: EQHXZ8M8AV -- +*`threat.enrichments.indicator.file.code_signature.timestamp`*:: ++ +-- +Date and time when the code signature was generated and signed. + +type: date + +example: 2021-01-01T12:10:30Z + +-- + *`threat.enrichments.indicator.file.code_signature.trusted`*:: + -- @@ -9189,6 +9394,19 @@ example: png -- +*`threat.enrichments.indicator.file.fork_name`*:: ++ +-- +A fork is additional data associated with a filesystem object. +On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist. +On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name. + +type: keyword + +example: Zone.Identifer + +-- + *`threat.enrichments.indicator.file.gid`*:: + -- @@ -9211,6 +9429,51 @@ example: alice -- +*`threat.enrichments.indicator.file.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`threat.enrichments.indicator.file.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`threat.enrichments.indicator.file.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`threat.enrichments.indicator.file.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + +*`threat.enrichments.indicator.file.hash.ssdeep`*:: ++ +-- +SSDEEP hash. + +type: keyword + +-- + *`threat.enrichments.indicator.file.inode`*:: + -- @@ -9287,26 +9550,104 @@ example: /home/alice/example.png *`threat.enrichments.indicator.file.path.text`*:: + -- -type: text +type: match_only_text -- -*`threat.enrichments.indicator.file.size`*:: +*`threat.enrichments.indicator.file.pe.architecture`*:: + -- -File size in bytes. -Only relevant when `file.type` is "file". +CPU architecture target for the file. -type: long +type: keyword -example: 16384 +example: x64 -- -*`threat.enrichments.indicator.file.target_path`*:: +*`threat.enrichments.indicator.file.pe.company`*:: + -- -Target path for symlinks. +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`threat.enrichments.indicator.file.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`threat.enrichments.indicator.file.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`threat.enrichments.indicator.file.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + +*`threat.enrichments.indicator.file.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`threat.enrichments.indicator.file.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + +*`threat.enrichments.indicator.file.size`*:: ++ +-- +File size in bytes. +Only relevant when `file.type` is "file". + +type: long + +example: 16384 + +-- + +*`threat.enrichments.indicator.file.target_path`*:: ++ +-- +Target path for symlinks. type: keyword @@ -9315,7 +9656,7 @@ type: keyword *`threat.enrichments.indicator.file.target_path.text`*:: + -- -type: text +type: match_only_text -- @@ -9476,51 +9817,6 @@ example: America/Argentina/Buenos_Aires -- -*`threat.enrichments.indicator.hash.md5`*:: -+ --- -MD5 hash. - -type: keyword - --- - -*`threat.enrichments.indicator.hash.sha1`*:: -+ --- -SHA1 hash. - -type: keyword - --- - -*`threat.enrichments.indicator.hash.sha256`*:: -+ --- -SHA256 hash. - -type: keyword - --- - -*`threat.enrichments.indicator.hash.sha512`*:: -+ --- -SHA512 hash. - -type: keyword - --- - -*`threat.enrichments.indicator.hash.ssdeep`*:: -+ --- -SSDEEP hash. - -type: keyword - --- - *`threat.enrichments.indicator.ip`*:: + -- @@ -9569,84 +9865,6 @@ example: 2020-11-05T17:25:47.000Z -- -*`threat.enrichments.indicator.pe.architecture`*:: -+ --- -CPU architecture target for the file. - -type: keyword - -example: x64 - --- - -*`threat.enrichments.indicator.pe.company`*:: -+ --- -Internal company name of the file, provided at compile-time. - -type: keyword - -example: Microsoft Corporation - --- - -*`threat.enrichments.indicator.pe.description`*:: -+ --- -Internal description of the file, provided at compile-time. - -type: keyword - -example: Paint - --- - -*`threat.enrichments.indicator.pe.file_version`*:: -+ --- -Internal version of the file, provided at compile-time. - -type: keyword - -example: 6.3.9600.17415 - --- - -*`threat.enrichments.indicator.pe.imphash`*:: -+ --- -A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. -Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. - -type: keyword - -example: 0c6803c4e922103c4dca5963aad36ddf - --- - -*`threat.enrichments.indicator.pe.original_file_name`*:: -+ --- -Internal name of the file, provided at compile-time. - -type: keyword - -example: MSPAINT.EXE - --- - -*`threat.enrichments.indicator.pe.product`*:: -+ --- -Internal product name of the file, provided at compile-time. - -type: keyword - -example: Microsoft® Windows® Operating System - --- - *`threat.enrichments.indicator.port`*:: + -- @@ -9698,7 +9916,7 @@ example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). -type: keyword +type: wildcard example: ["C:\rta\red_ttp\bin\myapp.exe"] @@ -9851,7 +10069,7 @@ type: keyword -- If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. -type: keyword +type: wildcard example: https://www.elastic.co:443/search?q=elasticsearch#top @@ -9860,7 +10078,7 @@ example: https://www.elastic.co:443/search?q=elasticsearch#top *`threat.enrichments.indicator.url.full.text`*:: + -- -type: text +type: match_only_text -- @@ -9871,7 +10089,7 @@ Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. -type: keyword +type: wildcard example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch @@ -9880,7 +10098,7 @@ example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elas *`threat.enrichments.indicator.url.original.text`*:: + -- -type: text +type: match_only_text -- @@ -9898,7 +10116,7 @@ type: keyword -- Path of the request, such as "/search". -type: keyword +type: wildcard -- @@ -10316,7 +10534,8 @@ example: MITRE ATT&CK *`threat.group.alias`*:: + -- -The alias(es) of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group alias(es). +The alias(es) of the group for a set of related intrusion activity that are tracked by a common name in the security community. +While not required, you can use a MITRE ATT&CK® group alias(es). type: keyword @@ -10327,7 +10546,8 @@ example: [ "Magecart Group 6" ] *`threat.group.id`*:: + -- -The id of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group id. +The id of the group for a set of related intrusion activity that are tracked by a common name in the security community. +While not required, you can use a MITRE ATT&CK® group id. type: keyword @@ -10338,7 +10558,8 @@ example: G0037 *`threat.group.name`*:: + -- -The name of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group name. +The name of the group for a set of related intrusion activity that are tracked by a common name in the security community. +While not required, you can use a MITRE ATT&CK® group name. type: keyword @@ -10349,7 +10570,8 @@ example: FIN6 *`threat.group.reference`*:: + -- -The reference URL of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group reference URL. +The reference URL of the group for a set of related intrusion activity that are tracked by a common name in the security community. +While not required, you can use a MITRE ATT&CK® group reference URL. type: keyword @@ -10382,7 +10604,7 @@ example: Google LLC *`threat.indicator.as.organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -10447,6 +10669,18 @@ example: ["readonly", "system"] -- +*`threat.indicator.file.code_signature.digest_algorithm`*:: ++ +-- +The hashing algorithm used to sign the process. +This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + +type: keyword + +example: sha256 + +-- + *`threat.indicator.file.code_signature.exists`*:: + -- @@ -10505,6 +10739,17 @@ example: EQHXZ8M8AV -- +*`threat.indicator.file.code_signature.timestamp`*:: ++ +-- +Date and time when the code signature was generated and signed. + +type: date + +example: 2021-01-01T12:10:30Z + +-- + *`threat.indicator.file.code_signature.trusted`*:: + -- @@ -10876,6 +11121,19 @@ example: png -- +*`threat.indicator.file.fork_name`*:: ++ +-- +A fork is additional data associated with a filesystem object. +On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist. +On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name. + +type: keyword + +example: Zone.Identifer + +-- + *`threat.indicator.file.gid`*:: + -- @@ -10898,6 +11156,51 @@ example: alice -- +*`threat.indicator.file.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`threat.indicator.file.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`threat.indicator.file.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`threat.indicator.file.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + +*`threat.indicator.file.hash.ssdeep`*:: ++ +-- +SSDEEP hash. + +type: keyword + +-- + *`threat.indicator.file.inode`*:: + -- @@ -10974,7 +11277,85 @@ example: /home/alice/example.png *`threat.indicator.file.path.text`*:: + -- -type: text +type: match_only_text + +-- + +*`threat.indicator.file.pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + +*`threat.indicator.file.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`threat.indicator.file.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`threat.indicator.file.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`threat.indicator.file.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + +*`threat.indicator.file.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`threat.indicator.file.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System -- @@ -11002,7 +11383,7 @@ type: keyword *`threat.indicator.file.target_path.text`*:: + -- -type: text +type: match_only_text -- @@ -11163,51 +11544,6 @@ example: America/Argentina/Buenos_Aires -- -*`threat.indicator.hash.md5`*:: -+ --- -MD5 hash. - -type: keyword - --- - -*`threat.indicator.hash.sha1`*:: -+ --- -SHA1 hash. - -type: keyword - --- - -*`threat.indicator.hash.sha256`*:: -+ --- -SHA256 hash. - -type: keyword - --- - -*`threat.indicator.hash.sha512`*:: -+ --- -SHA512 hash. - -type: keyword - --- - -*`threat.indicator.hash.ssdeep`*:: -+ --- -SSDEEP hash. - -type: keyword - --- - *`threat.indicator.ip`*:: + -- @@ -11257,84 +11593,6 @@ example: 2020-11-05T17:25:47.000Z -- -*`threat.indicator.pe.architecture`*:: -+ --- -CPU architecture target for the file. - -type: keyword - -example: x64 - --- - -*`threat.indicator.pe.company`*:: -+ --- -Internal company name of the file, provided at compile-time. - -type: keyword - -example: Microsoft Corporation - --- - -*`threat.indicator.pe.description`*:: -+ --- -Internal description of the file, provided at compile-time. - -type: keyword - -example: Paint - --- - -*`threat.indicator.pe.file_version`*:: -+ --- -Internal version of the file, provided at compile-time. - -type: keyword - -example: 6.3.9600.17415 - --- - -*`threat.indicator.pe.imphash`*:: -+ --- -A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. -Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. - -type: keyword - -example: 0c6803c4e922103c4dca5963aad36ddf - --- - -*`threat.indicator.pe.original_file_name`*:: -+ --- -Internal name of the file, provided at compile-time. - -type: keyword - -example: MSPAINT.EXE - --- - -*`threat.indicator.pe.product`*:: -+ --- -Internal product name of the file, provided at compile-time. - -type: keyword - -example: Microsoft® Windows® Operating System - --- - *`threat.indicator.port`*:: + -- @@ -11386,7 +11644,7 @@ example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). -type: keyword +type: wildcard example: ["C:\rta\red_ttp\bin\myapp.exe"] @@ -11540,7 +11798,7 @@ type: keyword -- If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. -type: keyword +type: wildcard example: https://www.elastic.co:443/search?q=elasticsearch#top @@ -11549,7 +11807,7 @@ example: https://www.elastic.co:443/search?q=elasticsearch#top *`threat.indicator.url.full.text`*:: + -- -type: text +type: match_only_text -- @@ -11560,7 +11818,7 @@ Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. -type: keyword +type: wildcard example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch @@ -11569,7 +11827,7 @@ example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elas *`threat.indicator.url.original.text`*:: + -- -type: text +type: match_only_text -- @@ -11587,7 +11845,7 @@ type: keyword -- Path of the request, such as "/search". -type: keyword +type: wildcard -- @@ -11936,10 +12194,23 @@ example: 3 -- +*`threat.software.alias`*:: ++ +-- +The alias(es) of the software for a set of related intrusion activity that are tracked by a common name in the security community. +While not required, you can use a MITRE ATT&CK® associated software description. + +type: keyword + +example: [ "X-Agent" ] + +-- + *`threat.software.id`*:: + -- -The id of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software id. +The id of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. +While not required, you can use a MITRE ATT&CK® software id. type: keyword @@ -11950,7 +12221,8 @@ example: S0552 *`threat.software.name`*:: + -- -The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software name. +The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. +While not required, you can use a MITRE ATT&CK® software name. type: keyword @@ -11961,7 +12233,7 @@ example: AdFind *`threat.software.platforms`*:: + -- -The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software platforms. +The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. Recommended Values: * AWS * Azure @@ -11974,6 +12246,8 @@ Recommended Values: * SaaS * Windows +While not required, you can use a MITRE ATT&CK® software platforms. + type: keyword example: [ "Windows" ] @@ -11983,7 +12257,8 @@ example: [ "Windows" ] *`threat.software.reference`*:: + -- -The reference URL of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software reference URL. +The reference URL of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. +While not required, you can use a MITRE ATT&CK® software reference URL. type: keyword @@ -11994,11 +12269,13 @@ example: https://attack.mitre.org/software/S0552/ *`threat.software.type`*:: + -- -The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software type. +The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. Recommended values * Malware * Tool + While not required, you can use a MITRE ATT&CK® software type. + type: keyword example: Tool @@ -12063,7 +12340,7 @@ example: Command and Scripting Interpreter *`threat.technique.name.text`*:: + -- -type: text +type: match_only_text -- @@ -12103,7 +12380,7 @@ example: PowerShell *`threat.technique.subtechnique.name.text`*:: + -- -type: text +type: match_only_text -- @@ -13051,7 +13328,7 @@ type: keyword -- If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. -type: keyword +type: wildcard example: https://www.elastic.co:443/search?q=elasticsearch#top @@ -13060,7 +13337,7 @@ example: https://www.elastic.co:443/search?q=elasticsearch#top *`url.full.text`*:: + -- -type: text +type: match_only_text -- @@ -13071,7 +13348,7 @@ Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. -type: keyword +type: wildcard example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch @@ -13080,7 +13357,7 @@ example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elas *`url.original.text`*:: + -- -type: text +type: match_only_text -- @@ -13098,7 +13375,7 @@ type: keyword -- Path of the request, such as "/search". -type: keyword +type: wildcard -- @@ -13223,7 +13500,7 @@ example: Albert Einstein *`user.changes.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -13272,6 +13549,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`user.changes.name`*:: @@ -13281,14 +13560,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`user.changes.name.text`*:: + -- -type: text +type: match_only_text -- @@ -13346,7 +13625,7 @@ example: Albert Einstein *`user.effective.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -13395,6 +13674,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`user.effective.name`*:: @@ -13404,14 +13685,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`user.effective.name.text`*:: + -- -type: text +type: match_only_text -- @@ -13449,7 +13730,7 @@ example: Albert Einstein *`user.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -13498,6 +13779,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`user.name`*:: @@ -13507,14 +13790,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`user.name.text`*:: + -- -type: text +type: match_only_text -- @@ -13562,7 +13845,7 @@ example: Albert Einstein *`user.target.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -13611,6 +13894,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`user.target.name`*:: @@ -13620,14 +13905,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`user.target.name.text`*:: + -- -type: text +type: match_only_text -- @@ -13685,7 +13970,7 @@ example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605. *`user_agent.original.text`*:: + -- -type: text +type: match_only_text -- @@ -13714,7 +13999,7 @@ example: Mac OS Mojave *`user_agent.os.full.text`*:: + -- -type: text +type: match_only_text -- @@ -13743,7 +14028,7 @@ example: Mac OS X *`user_agent.os.name.text`*:: + -- -type: text +type: match_only_text -- @@ -13867,7 +14152,7 @@ example: In macOS before 2.12.6, there is a vulnerability in the RPC... *`vulnerability.description.text`*:: + -- -type: text +type: match_only_text -- diff --git a/heartbeat/include/fields.go b/heartbeat/include/fields.go index 5eae3ac42676..7836f5c36d56 100644 --- a/heartbeat/include/fields.go +++ b/heartbeat/include/fields.go @@ -32,5 +32,5 @@ func init() { // AssetFieldsYml returns asset data. // This is the base64 encoded zlib format compressed contents of fields.yml. func AssetFieldsYml() string { - return "" + return "" } diff --git a/journalbeat/cmd/root.go b/journalbeat/cmd/root.go index 82e79d402721..913483b8819f 100644 --- a/journalbeat/cmd/root.go +++ b/journalbeat/cmd/root.go @@ -35,7 +35,7 @@ const ( Name = "journalbeat" // ecsVersion specifies the version of ECS that Winlogbeat is implementing. - ecsVersion = "1.11.0" + ecsVersion = "1.12.0" ) // withECSVersion is a modifier that adds ecs.version to events. diff --git a/journalbeat/docs/fields.asciidoc b/journalbeat/docs/fields.asciidoc index 0c1217ed77b6..91c9f4f93c16 100644 --- a/journalbeat/docs/fields.asciidoc +++ b/journalbeat/docs/fields.asciidoc @@ -960,7 +960,7 @@ For log events the message field contains the log message, optimized for viewing For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. -type: text +type: match_only_text example: Hello World @@ -1087,7 +1087,7 @@ example: Google LLC *`as.organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -1134,7 +1134,7 @@ example: Google LLC *`client.as.organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -1419,7 +1419,7 @@ example: Albert Einstein *`client.user.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -1468,6 +1468,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`client.user.name`*:: @@ -1477,14 +1479,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`client.user.name.text`*:: + -- -type: text +type: match_only_text -- @@ -1635,6 +1637,18 @@ example: lambda These fields contain information about binary code signatures. +*`code_signature.digest_algorithm`*:: ++ +-- +The hashing algorithm used to sign the process. +This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + +type: keyword + +example: sha256 + +-- + *`code_signature.exists`*:: + -- @@ -1693,6 +1707,17 @@ example: EQHXZ8M8AV -- +*`code_signature.timestamp`*:: ++ +-- +Date and time when the code signature was generated and signed. + +type: date + +example: 2021-01-01T12:10:30Z + +-- + *`code_signature.trusted`*:: + -- @@ -1872,7 +1897,7 @@ example: Google LLC *`destination.as.organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -2157,7 +2182,7 @@ example: Albert Einstein *`destination.user.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -2206,6 +2231,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`destination.user.name`*:: @@ -2215,14 +2242,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`destination.user.name.text`*:: + -- -type: text +type: match_only_text -- @@ -2248,6 +2275,18 @@ Many operating systems refer to "shared code libraries" with different names, bu * Dynamic library (`.dylib`) commonly used on macOS +*`dll.code_signature.digest_algorithm`*:: ++ +-- +The hashing algorithm used to sign the process. +This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + +type: keyword + +example: sha256 + +-- + *`dll.code_signature.exists`*:: + -- @@ -2306,6 +2345,17 @@ example: EQHXZ8M8AV -- +*`dll.code_signature.timestamp`*:: ++ +-- +Date and time when the code signature was generated and signed. + +type: date + +example: 2021-01-01T12:10:30Z + +-- + *`dll.code_signature.trusted`*:: + -- @@ -3029,7 +3079,7 @@ type: keyword -- Error message. -type: text +type: match_only_text -- @@ -3038,16 +3088,14 @@ type: text -- The stack trace of this error in plain text. -type: keyword - -Field is not indexed. +type: wildcard -- *`error.stack_trace.text`*:: + -- -type: text +type: match_only_text -- @@ -3414,6 +3462,18 @@ example: ["readonly", "system"] -- +*`file.code_signature.digest_algorithm`*:: ++ +-- +The hashing algorithm used to sign the process. +This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + +type: keyword + +example: sha256 + +-- + *`file.code_signature.exists`*:: + -- @@ -3472,6 +3532,17 @@ example: EQHXZ8M8AV -- +*`file.code_signature.timestamp`*:: ++ +-- +Date and time when the code signature was generated and signed. + +type: date + +example: 2021-01-01T12:10:30Z + +-- + *`file.code_signature.trusted`*:: + -- @@ -3843,6 +3914,19 @@ example: png -- +*`file.fork_name`*:: ++ +-- +A fork is additional data associated with a filesystem object. +On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist. +On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name. + +type: keyword + +example: Zone.Identifer + +-- + *`file.gid`*:: + -- @@ -3986,7 +4070,7 @@ example: /home/alice/example.png *`file.path.text`*:: + -- -type: text +type: match_only_text -- @@ -4092,7 +4176,7 @@ type: keyword *`file.target_path.text`*:: + -- -type: text +type: match_only_text -- @@ -4896,7 +4980,7 @@ example: Mac OS Mojave *`host.os.full.text`*:: + -- -type: text +type: match_only_text -- @@ -4925,7 +5009,7 @@ example: Mac OS X *`host.os.name.text`*:: + -- -type: text +type: match_only_text -- @@ -5018,7 +5102,7 @@ example: Albert Einstein *`host.user.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -5067,6 +5151,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`host.user.name`*:: @@ -5076,14 +5162,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`host.user.name.text`*:: + -- -type: text +type: match_only_text -- @@ -5122,7 +5208,7 @@ format: bytes -- The full HTTP request body. -type: keyword +type: wildcard example: Hello world @@ -5131,7 +5217,7 @@ example: Hello world *`http.request.body.content.text`*:: + -- -type: text +type: match_only_text -- @@ -5215,7 +5301,7 @@ format: bytes -- The full HTTP response body. -type: keyword +type: wildcard example: Hello world @@ -5224,7 +5310,7 @@ example: Hello world *`http.response.body.content.text`*:: + -- -type: text +type: match_only_text -- @@ -6033,7 +6119,7 @@ example: Mac OS Mojave *`observer.os.full.text`*:: + -- -type: text +type: match_only_text -- @@ -6062,7 +6148,7 @@ example: Mac OS X *`observer.os.name.text`*:: + -- -type: text +type: match_only_text -- @@ -6280,7 +6366,7 @@ type: keyword *`organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -6315,7 +6401,7 @@ example: Mac OS Mojave *`os.full.text`*:: + -- -type: text +type: match_only_text -- @@ -6344,7 +6430,7 @@ example: Mac OS X *`os.name.text`*:: + -- -type: text +type: match_only_text -- @@ -6650,6 +6736,18 @@ example: 4 -- +*`process.code_signature.digest_algorithm`*:: ++ +-- +The hashing algorithm used to sign the process. +This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + +type: keyword + +example: sha256 + +-- + *`process.code_signature.exists`*:: + -- @@ -6708,6 +6806,17 @@ example: EQHXZ8M8AV -- +*`process.code_signature.timestamp`*:: ++ +-- +Date and time when the code signature was generated and signed. + +type: date + +example: 2021-01-01T12:10:30Z + +-- + *`process.code_signature.trusted`*:: + -- @@ -6738,7 +6847,7 @@ example: true Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. -type: keyword +type: wildcard example: /usr/bin/ssh -l user 10.0.0.16 @@ -6747,7 +6856,7 @@ example: /usr/bin/ssh -l user 10.0.0.16 *`process.command_line.text`*:: + -- -type: text +type: match_only_text -- @@ -7032,6 +7141,17 @@ type: keyword -- +*`process.end`*:: ++ +-- +The time the process ended. + +type: date + +example: 2016-05-23T08:05:34.853Z + +-- + *`process.entity_id`*:: + -- @@ -7059,7 +7179,7 @@ example: /usr/bin/ssh *`process.executable.text`*:: + -- -type: text +type: match_only_text -- @@ -7135,7 +7255,7 @@ example: ssh *`process.name.text`*:: + -- -type: text +type: match_only_text -- @@ -7163,6 +7283,18 @@ example: 4 -- +*`process.parent.code_signature.digest_algorithm`*:: ++ +-- +The hashing algorithm used to sign the process. +This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + +type: keyword + +example: sha256 + +-- + *`process.parent.code_signature.exists`*:: + -- @@ -7221,6 +7353,17 @@ example: EQHXZ8M8AV -- +*`process.parent.code_signature.timestamp`*:: ++ +-- +Date and time when the code signature was generated and signed. + +type: date + +example: 2021-01-01T12:10:30Z + +-- + *`process.parent.code_signature.trusted`*:: + -- @@ -7251,7 +7394,7 @@ example: true Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. -type: keyword +type: wildcard example: /usr/bin/ssh -l user 10.0.0.16 @@ -7260,7 +7403,7 @@ example: /usr/bin/ssh -l user 10.0.0.16 *`process.parent.command_line.text`*:: + -- -type: text +type: match_only_text -- @@ -7545,6 +7688,17 @@ type: keyword -- +*`process.parent.end`*:: ++ +-- +The time the process ended. + +type: date + +example: 2016-05-23T08:05:34.853Z + +-- + *`process.parent.entity_id`*:: + -- @@ -7572,7 +7726,7 @@ example: /usr/bin/ssh *`process.parent.executable.text`*:: + -- -type: text +type: match_only_text -- @@ -7648,7 +7802,7 @@ example: ssh *`process.parent.name.text`*:: + -- -type: text +type: match_only_text -- @@ -7815,7 +7969,7 @@ type: keyword *`process.parent.title.text`*:: + -- -type: text +type: match_only_text -- @@ -7844,7 +7998,7 @@ example: /home/alice *`process.parent.working_directory.text`*:: + -- -type: text +type: match_only_text -- @@ -8011,7 +8165,7 @@ type: keyword *`process.title.text`*:: + -- -type: text +type: match_only_text -- @@ -8040,7 +8194,7 @@ example: /home/alice *`process.working_directory.text`*:: + -- -type: text +type: match_only_text -- @@ -8068,7 +8222,7 @@ example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). -type: keyword +type: wildcard example: ["C:\rta\red_ttp\bin\myapp.exe"] @@ -8334,7 +8488,7 @@ example: Google LLC *`server.as.organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -8619,7 +8773,7 @@ example: Albert Einstein *`server.user.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -8668,6 +8822,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`server.user.name`*:: @@ -8677,14 +8833,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`server.user.name.text`*:: + -- -type: text +type: match_only_text -- @@ -8706,6 +8862,30 @@ The service fields describe the service for or from which the data was collected These fields help you find and correlate logs for a specific service and version. +*`service.address`*:: ++ +-- +Address where data about this service was collected from. +This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). + +type: keyword + +example: 172.26.0.2:5432 + +-- + +*`service.environment`*:: ++ +-- +Identifies the environment where the service is running. +If the same service runs in different environments (production, staging, QA, development, etc.), the environment can identify other instances of the same service. Can also group services and applications from the same environment. + +type: keyword + +example: production + +-- + *`service.ephemeral_id`*:: + -- @@ -8833,7 +9013,7 @@ example: Google LLC *`source.as.organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -9118,7 +9298,7 @@ example: Albert Einstein *`source.user.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -9167,6 +9347,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`source.user.name`*:: @@ -9176,14 +9358,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`source.user.name.text`*:: + -- -type: text +type: match_only_text -- @@ -9248,7 +9430,7 @@ example: Google LLC *`threat.enrichments.indicator.as.organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -9312,6 +9494,18 @@ example: ["readonly", "system"] -- +*`threat.enrichments.indicator.file.code_signature.digest_algorithm`*:: ++ +-- +The hashing algorithm used to sign the process. +This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + +type: keyword + +example: sha256 + +-- + *`threat.enrichments.indicator.file.code_signature.exists`*:: + -- @@ -9370,6 +9564,17 @@ example: EQHXZ8M8AV -- +*`threat.enrichments.indicator.file.code_signature.timestamp`*:: ++ +-- +Date and time when the code signature was generated and signed. + +type: date + +example: 2021-01-01T12:10:30Z + +-- + *`threat.enrichments.indicator.file.code_signature.trusted`*:: + -- @@ -9741,6 +9946,19 @@ example: png -- +*`threat.enrichments.indicator.file.fork_name`*:: ++ +-- +A fork is additional data associated with a filesystem object. +On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist. +On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name. + +type: keyword + +example: Zone.Identifer + +-- + *`threat.enrichments.indicator.file.gid`*:: + -- @@ -9763,6 +9981,51 @@ example: alice -- +*`threat.enrichments.indicator.file.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`threat.enrichments.indicator.file.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`threat.enrichments.indicator.file.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`threat.enrichments.indicator.file.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + +*`threat.enrichments.indicator.file.hash.ssdeep`*:: ++ +-- +SSDEEP hash. + +type: keyword + +-- + *`threat.enrichments.indicator.file.inode`*:: + -- @@ -9839,26 +10102,104 @@ example: /home/alice/example.png *`threat.enrichments.indicator.file.path.text`*:: + -- -type: text +type: match_only_text -- -*`threat.enrichments.indicator.file.size`*:: +*`threat.enrichments.indicator.file.pe.architecture`*:: + -- -File size in bytes. -Only relevant when `file.type` is "file". +CPU architecture target for the file. -type: long +type: keyword -example: 16384 +example: x64 -- -*`threat.enrichments.indicator.file.target_path`*:: +*`threat.enrichments.indicator.file.pe.company`*:: + -- -Target path for symlinks. +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`threat.enrichments.indicator.file.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`threat.enrichments.indicator.file.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`threat.enrichments.indicator.file.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + +*`threat.enrichments.indicator.file.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`threat.enrichments.indicator.file.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + +*`threat.enrichments.indicator.file.size`*:: ++ +-- +File size in bytes. +Only relevant when `file.type` is "file". + +type: long + +example: 16384 + +-- + +*`threat.enrichments.indicator.file.target_path`*:: ++ +-- +Target path for symlinks. type: keyword @@ -9867,7 +10208,7 @@ type: keyword *`threat.enrichments.indicator.file.target_path.text`*:: + -- -type: text +type: match_only_text -- @@ -10028,51 +10369,6 @@ example: America/Argentina/Buenos_Aires -- -*`threat.enrichments.indicator.hash.md5`*:: -+ --- -MD5 hash. - -type: keyword - --- - -*`threat.enrichments.indicator.hash.sha1`*:: -+ --- -SHA1 hash. - -type: keyword - --- - -*`threat.enrichments.indicator.hash.sha256`*:: -+ --- -SHA256 hash. - -type: keyword - --- - -*`threat.enrichments.indicator.hash.sha512`*:: -+ --- -SHA512 hash. - -type: keyword - --- - -*`threat.enrichments.indicator.hash.ssdeep`*:: -+ --- -SSDEEP hash. - -type: keyword - --- - *`threat.enrichments.indicator.ip`*:: + -- @@ -10121,84 +10417,6 @@ example: 2020-11-05T17:25:47.000Z -- -*`threat.enrichments.indicator.pe.architecture`*:: -+ --- -CPU architecture target for the file. - -type: keyword - -example: x64 - --- - -*`threat.enrichments.indicator.pe.company`*:: -+ --- -Internal company name of the file, provided at compile-time. - -type: keyword - -example: Microsoft Corporation - --- - -*`threat.enrichments.indicator.pe.description`*:: -+ --- -Internal description of the file, provided at compile-time. - -type: keyword - -example: Paint - --- - -*`threat.enrichments.indicator.pe.file_version`*:: -+ --- -Internal version of the file, provided at compile-time. - -type: keyword - -example: 6.3.9600.17415 - --- - -*`threat.enrichments.indicator.pe.imphash`*:: -+ --- -A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. -Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. - -type: keyword - -example: 0c6803c4e922103c4dca5963aad36ddf - --- - -*`threat.enrichments.indicator.pe.original_file_name`*:: -+ --- -Internal name of the file, provided at compile-time. - -type: keyword - -example: MSPAINT.EXE - --- - -*`threat.enrichments.indicator.pe.product`*:: -+ --- -Internal product name of the file, provided at compile-time. - -type: keyword - -example: Microsoft® Windows® Operating System - --- - *`threat.enrichments.indicator.port`*:: + -- @@ -10250,7 +10468,7 @@ example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). -type: keyword +type: wildcard example: ["C:\rta\red_ttp\bin\myapp.exe"] @@ -10403,7 +10621,7 @@ type: keyword -- If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. -type: keyword +type: wildcard example: https://www.elastic.co:443/search?q=elasticsearch#top @@ -10412,7 +10630,7 @@ example: https://www.elastic.co:443/search?q=elasticsearch#top *`threat.enrichments.indicator.url.full.text`*:: + -- -type: text +type: match_only_text -- @@ -10423,7 +10641,7 @@ Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. -type: keyword +type: wildcard example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch @@ -10432,7 +10650,7 @@ example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elas *`threat.enrichments.indicator.url.original.text`*:: + -- -type: text +type: match_only_text -- @@ -10450,7 +10668,7 @@ type: keyword -- Path of the request, such as "/search". -type: keyword +type: wildcard -- @@ -10868,7 +11086,8 @@ example: MITRE ATT&CK *`threat.group.alias`*:: + -- -The alias(es) of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group alias(es). +The alias(es) of the group for a set of related intrusion activity that are tracked by a common name in the security community. +While not required, you can use a MITRE ATT&CK® group alias(es). type: keyword @@ -10879,7 +11098,8 @@ example: [ "Magecart Group 6" ] *`threat.group.id`*:: + -- -The id of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group id. +The id of the group for a set of related intrusion activity that are tracked by a common name in the security community. +While not required, you can use a MITRE ATT&CK® group id. type: keyword @@ -10890,7 +11110,8 @@ example: G0037 *`threat.group.name`*:: + -- -The name of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group name. +The name of the group for a set of related intrusion activity that are tracked by a common name in the security community. +While not required, you can use a MITRE ATT&CK® group name. type: keyword @@ -10901,7 +11122,8 @@ example: FIN6 *`threat.group.reference`*:: + -- -The reference URL of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group reference URL. +The reference URL of the group for a set of related intrusion activity that are tracked by a common name in the security community. +While not required, you can use a MITRE ATT&CK® group reference URL. type: keyword @@ -10934,7 +11156,7 @@ example: Google LLC *`threat.indicator.as.organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -10999,6 +11221,18 @@ example: ["readonly", "system"] -- +*`threat.indicator.file.code_signature.digest_algorithm`*:: ++ +-- +The hashing algorithm used to sign the process. +This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + +type: keyword + +example: sha256 + +-- + *`threat.indicator.file.code_signature.exists`*:: + -- @@ -11057,6 +11291,17 @@ example: EQHXZ8M8AV -- +*`threat.indicator.file.code_signature.timestamp`*:: ++ +-- +Date and time when the code signature was generated and signed. + +type: date + +example: 2021-01-01T12:10:30Z + +-- + *`threat.indicator.file.code_signature.trusted`*:: + -- @@ -11428,6 +11673,19 @@ example: png -- +*`threat.indicator.file.fork_name`*:: ++ +-- +A fork is additional data associated with a filesystem object. +On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist. +On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name. + +type: keyword + +example: Zone.Identifer + +-- + *`threat.indicator.file.gid`*:: + -- @@ -11450,6 +11708,51 @@ example: alice -- +*`threat.indicator.file.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`threat.indicator.file.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`threat.indicator.file.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`threat.indicator.file.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + +*`threat.indicator.file.hash.ssdeep`*:: ++ +-- +SSDEEP hash. + +type: keyword + +-- + *`threat.indicator.file.inode`*:: + -- @@ -11526,7 +11829,85 @@ example: /home/alice/example.png *`threat.indicator.file.path.text`*:: + -- -type: text +type: match_only_text + +-- + +*`threat.indicator.file.pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + +*`threat.indicator.file.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`threat.indicator.file.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`threat.indicator.file.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`threat.indicator.file.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + +*`threat.indicator.file.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`threat.indicator.file.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System -- @@ -11554,7 +11935,7 @@ type: keyword *`threat.indicator.file.target_path.text`*:: + -- -type: text +type: match_only_text -- @@ -11715,51 +12096,6 @@ example: America/Argentina/Buenos_Aires -- -*`threat.indicator.hash.md5`*:: -+ --- -MD5 hash. - -type: keyword - --- - -*`threat.indicator.hash.sha1`*:: -+ --- -SHA1 hash. - -type: keyword - --- - -*`threat.indicator.hash.sha256`*:: -+ --- -SHA256 hash. - -type: keyword - --- - -*`threat.indicator.hash.sha512`*:: -+ --- -SHA512 hash. - -type: keyword - --- - -*`threat.indicator.hash.ssdeep`*:: -+ --- -SSDEEP hash. - -type: keyword - --- - *`threat.indicator.ip`*:: + -- @@ -11809,84 +12145,6 @@ example: 2020-11-05T17:25:47.000Z -- -*`threat.indicator.pe.architecture`*:: -+ --- -CPU architecture target for the file. - -type: keyword - -example: x64 - --- - -*`threat.indicator.pe.company`*:: -+ --- -Internal company name of the file, provided at compile-time. - -type: keyword - -example: Microsoft Corporation - --- - -*`threat.indicator.pe.description`*:: -+ --- -Internal description of the file, provided at compile-time. - -type: keyword - -example: Paint - --- - -*`threat.indicator.pe.file_version`*:: -+ --- -Internal version of the file, provided at compile-time. - -type: keyword - -example: 6.3.9600.17415 - --- - -*`threat.indicator.pe.imphash`*:: -+ --- -A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. -Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. - -type: keyword - -example: 0c6803c4e922103c4dca5963aad36ddf - --- - -*`threat.indicator.pe.original_file_name`*:: -+ --- -Internal name of the file, provided at compile-time. - -type: keyword - -example: MSPAINT.EXE - --- - -*`threat.indicator.pe.product`*:: -+ --- -Internal product name of the file, provided at compile-time. - -type: keyword - -example: Microsoft® Windows® Operating System - --- - *`threat.indicator.port`*:: + -- @@ -11938,7 +12196,7 @@ example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). -type: keyword +type: wildcard example: ["C:\rta\red_ttp\bin\myapp.exe"] @@ -12092,7 +12350,7 @@ type: keyword -- If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. -type: keyword +type: wildcard example: https://www.elastic.co:443/search?q=elasticsearch#top @@ -12101,7 +12359,7 @@ example: https://www.elastic.co:443/search?q=elasticsearch#top *`threat.indicator.url.full.text`*:: + -- -type: text +type: match_only_text -- @@ -12112,7 +12370,7 @@ Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. -type: keyword +type: wildcard example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch @@ -12121,7 +12379,7 @@ example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elas *`threat.indicator.url.original.text`*:: + -- -type: text +type: match_only_text -- @@ -12139,7 +12397,7 @@ type: keyword -- Path of the request, such as "/search". -type: keyword +type: wildcard -- @@ -12488,10 +12746,23 @@ example: 3 -- +*`threat.software.alias`*:: ++ +-- +The alias(es) of the software for a set of related intrusion activity that are tracked by a common name in the security community. +While not required, you can use a MITRE ATT&CK® associated software description. + +type: keyword + +example: [ "X-Agent" ] + +-- + *`threat.software.id`*:: + -- -The id of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software id. +The id of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. +While not required, you can use a MITRE ATT&CK® software id. type: keyword @@ -12502,7 +12773,8 @@ example: S0552 *`threat.software.name`*:: + -- -The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software name. +The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. +While not required, you can use a MITRE ATT&CK® software name. type: keyword @@ -12513,7 +12785,7 @@ example: AdFind *`threat.software.platforms`*:: + -- -The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software platforms. +The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. Recommended Values: * AWS * Azure @@ -12526,6 +12798,8 @@ Recommended Values: * SaaS * Windows +While not required, you can use a MITRE ATT&CK® software platforms. + type: keyword example: [ "Windows" ] @@ -12535,7 +12809,8 @@ example: [ "Windows" ] *`threat.software.reference`*:: + -- -The reference URL of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software reference URL. +The reference URL of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. +While not required, you can use a MITRE ATT&CK® software reference URL. type: keyword @@ -12546,11 +12821,13 @@ example: https://attack.mitre.org/software/S0552/ *`threat.software.type`*:: + -- -The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software type. +The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. Recommended values * Malware * Tool + While not required, you can use a MITRE ATT&CK® software type. + type: keyword example: Tool @@ -12615,7 +12892,7 @@ example: Command and Scripting Interpreter *`threat.technique.name.text`*:: + -- -type: text +type: match_only_text -- @@ -12655,7 +12932,7 @@ example: PowerShell *`threat.technique.subtechnique.name.text`*:: + -- -type: text +type: match_only_text -- @@ -13603,7 +13880,7 @@ type: keyword -- If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. -type: keyword +type: wildcard example: https://www.elastic.co:443/search?q=elasticsearch#top @@ -13612,7 +13889,7 @@ example: https://www.elastic.co:443/search?q=elasticsearch#top *`url.full.text`*:: + -- -type: text +type: match_only_text -- @@ -13623,7 +13900,7 @@ Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. -type: keyword +type: wildcard example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch @@ -13632,7 +13909,7 @@ example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elas *`url.original.text`*:: + -- -type: text +type: match_only_text -- @@ -13650,7 +13927,7 @@ type: keyword -- Path of the request, such as "/search". -type: keyword +type: wildcard -- @@ -13775,7 +14052,7 @@ example: Albert Einstein *`user.changes.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -13824,6 +14101,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`user.changes.name`*:: @@ -13833,14 +14112,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`user.changes.name.text`*:: + -- -type: text +type: match_only_text -- @@ -13898,7 +14177,7 @@ example: Albert Einstein *`user.effective.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -13947,6 +14226,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`user.effective.name`*:: @@ -13956,14 +14237,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`user.effective.name.text`*:: + -- -type: text +type: match_only_text -- @@ -14001,7 +14282,7 @@ example: Albert Einstein *`user.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -14050,6 +14331,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`user.name`*:: @@ -14059,14 +14342,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`user.name.text`*:: + -- -type: text +type: match_only_text -- @@ -14114,7 +14397,7 @@ example: Albert Einstein *`user.target.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -14163,6 +14446,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`user.target.name`*:: @@ -14172,14 +14457,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`user.target.name.text`*:: + -- -type: text +type: match_only_text -- @@ -14237,7 +14522,7 @@ example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605. *`user_agent.original.text`*:: + -- -type: text +type: match_only_text -- @@ -14266,7 +14551,7 @@ example: Mac OS Mojave *`user_agent.os.full.text`*:: + -- -type: text +type: match_only_text -- @@ -14295,7 +14580,7 @@ example: Mac OS X *`user_agent.os.name.text`*:: + -- -type: text +type: match_only_text -- @@ -14419,7 +14704,7 @@ example: In macOS before 2.12.6, there is a vulnerability in the RPC... *`vulnerability.description.text`*:: + -- -type: text +type: match_only_text -- diff --git a/journalbeat/include/fields.go b/journalbeat/include/fields.go index 20e26acdf119..560bdab513ed 100644 --- a/journalbeat/include/fields.go +++ b/journalbeat/include/fields.go @@ -32,5 +32,5 @@ func init() { // AssetFieldsYml returns asset data. // This is the base64 encoded zlib format compressed contents of fields.yml. func AssetFieldsYml() string { - return "" + return "" } diff --git a/libbeat/_meta/fields.ecs.yml b/libbeat/_meta/fields.ecs.yml index 79269113c856..27c9869230e2 100644 --- a/libbeat/_meta/fields.ecs.yml +++ b/libbeat/_meta/fields.ecs.yml @@ -1,5 +1,5 @@ # WARNING! Do not edit this file directly, it was generated by the ECS project, -# based on ECS version 1.11.0. +# based on ECS version 1.12.0. # Please visit https://github.com/elastic/ecs to suggest changes to ECS fields. - key: ecs @@ -33,7 +33,7 @@ example: '{"application": "foo-bar", "env": "production"}' - name: message level: core - type: text + type: match_only_text description: 'For log events the message field contains the log message, optimized for viewing in a log viewer. @@ -140,8 +140,7 @@ ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text default_field: false description: Organization name. example: Google LLC @@ -187,8 +186,7 @@ ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text default_field: false description: Organization name. example: Google LLC @@ -376,8 +374,7 @@ ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text default_field: false description: User's full name, if available. example: Albert Einstein @@ -412,17 +409,17 @@ type: keyword ignore_above: 1024 description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 - name: user.name level: core type: keyword ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text default_field: false description: Short name or login of the user. - example: albert + example: a.einstein - name: user.roles level: extended type: keyword @@ -532,6 +529,16 @@ description: These fields contain information about binary code signatures. type: group fields: + - name: digest_algorithm + level: extended + type: keyword + ignore_above: 1024 + description: 'The hashing algorithm used to sign the process. + + This value can distinguish signatures when a file is signed multiple times + by the same signer but with a different digest algorithm.' + example: sha256 + default_field: false - name: exists level: core type: boolean @@ -576,6 +583,12 @@ is relevant to Apple *OS only.' example: EQHXZ8M8AV default_field: false + - name: timestamp + level: extended + type: date + description: Date and time when the code signature was generated and signed. + example: '2021-01-01T12:10:30Z' + default_field: false - name: trusted level: extended type: boolean @@ -722,8 +735,7 @@ ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text default_field: false description: Organization name. example: Google LLC @@ -910,8 +922,7 @@ ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text default_field: false description: User's full name, if available. example: Albert Einstein @@ -946,17 +957,17 @@ type: keyword ignore_above: 1024 description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 - name: user.name level: core type: keyword ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text default_field: false description: Short name or login of the user. - example: albert + example: a.einstein - name: user.roles level: extended type: keyword @@ -981,6 +992,16 @@ * Dynamic library (`.dylib`) commonly used on macOS' type: group fields: + - name: code_signature.digest_algorithm + level: extended + type: keyword + ignore_above: 1024 + description: 'The hashing algorithm used to sign the process. + + This value can distinguish signatures when a file is signed multiple times + by the same signer but with a different digest algorithm.' + example: sha256 + default_field: false - name: code_signature.exists level: core type: boolean @@ -1025,6 +1046,12 @@ is relevant to Apple *OS only.' example: EQHXZ8M8AV default_field: false + - name: code_signature.timestamp + level: extended + type: date + description: Date and time when the code signature was generated and signed. + example: '2021-01-01T12:10:30Z' + default_field: false - name: code_signature.trusted level: extended type: boolean @@ -1535,19 +1562,16 @@ description: Unique identifier for the error. - name: message level: core - type: text + type: match_only_text description: Error message. - name: stack_trace level: extended - type: keyword + type: wildcard multi_fields: - name: text - type: text - norms: false + type: match_only_text default_field: false description: The stack trace of this error in plain text. - index: false - doc_values: false - name: type level: extended type: keyword @@ -1910,6 +1934,16 @@ execute, hidden, read, readonly, system, write.' example: '["readonly", "system"]' default_field: false + - name: code_signature.digest_algorithm + level: extended + type: keyword + ignore_above: 1024 + description: 'The hashing algorithm used to sign the process. + + This value can distinguish signatures when a file is signed multiple times + by the same signer but with a different digest algorithm.' + example: sha256 + default_field: false - name: code_signature.exists level: core type: boolean @@ -1954,6 +1988,12 @@ is relevant to Apple *OS only.' example: EQHXZ8M8AV default_field: false + - name: code_signature.timestamp + level: extended + type: date + description: Date and time when the code signature was generated and signed. + example: '2021-01-01T12:10:30Z' + default_field: false - name: code_signature.trusted level: extended type: boolean @@ -2196,6 +2236,25 @@ Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").' example: png + - name: fork_name + level: extended + type: keyword + ignore_above: 1024 + description: 'A fork is additional data associated with a filesystem object. + + On Linux, a resource fork is used to store additional data with a filesystem + object. A file always has at least one fork for the data portion, and additional + forks may exist. + + On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default + data stream for a file is just called $DATA. Zone.Identifier is commonly used + by Windows to track contents downloaded from the Internet. An ADS is typically + of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` + is the value that should populate `fork_name`. `filename.extension` should + populate `file.name`, and `extension` should populate `file.extension`. The + full path, `file.path`, will include the fork name.' + example: Zone.Identifer + default_field: false - name: gid level: extended type: keyword @@ -2277,8 +2336,7 @@ ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text default_field: false description: Full path to the file, including the file name. It should include the drive letter, when appropriate. @@ -2349,8 +2407,7 @@ ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text default_field: false description: Target path for symlinks. - name: type @@ -2893,8 +2950,7 @@ ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text default_field: false description: Operating system name, including the version or code name. example: Mac OS Mojave @@ -2910,8 +2966,7 @@ ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text default_field: false description: Operating system name, without the version. example: Mac OS X @@ -2974,8 +3029,7 @@ ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text default_field: false description: User's full name, if available. example: Albert Einstein @@ -3010,17 +3064,17 @@ type: keyword ignore_above: 1024 description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 - name: user.name level: core type: keyword ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text default_field: false description: Short name or login of the user. - example: albert + example: a.einstein - name: user.roles level: extended type: keyword @@ -3043,12 +3097,10 @@ example: 887 - name: request.body.content level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text - type: text - norms: false + type: match_only_text default_field: false description: The full HTTP request body. example: Hello world @@ -3109,12 +3161,10 @@ example: 887 - name: response.body.content level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text - type: text - norms: false + type: match_only_text default_field: false description: The full HTTP response body. example: Hello world @@ -3711,8 +3761,7 @@ ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text default_field: false description: Operating system name, including the version or code name. example: Mac OS Mojave @@ -3728,8 +3777,7 @@ ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text default_field: false description: Operating system name, without the version. example: Mac OS X @@ -3880,8 +3928,7 @@ ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text default_field: false description: Organization name. - name: os @@ -3902,8 +3949,7 @@ ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text default_field: false description: Operating system name, including the version or code name. example: Mac OS Mojave @@ -3919,8 +3965,7 @@ ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text default_field: false description: Operating system name, without the version. example: Mac OS X @@ -4137,6 +4182,16 @@ indication of suspicious activity.' example: 4 default_field: false + - name: code_signature.digest_algorithm + level: extended + type: keyword + ignore_above: 1024 + description: 'The hashing algorithm used to sign the process. + + This value can distinguish signatures when a file is signed multiple times + by the same signer but with a different digest algorithm.' + example: sha256 + default_field: false - name: code_signature.exists level: core type: boolean @@ -4181,6 +4236,12 @@ is relevant to Apple *OS only.' example: EQHXZ8M8AV default_field: false + - name: code_signature.timestamp + level: extended + type: date + description: Date and time when the code signature was generated and signed. + example: '2021-01-01T12:10:30Z' + default_field: false - name: code_signature.trusted level: extended type: boolean @@ -4201,12 +4262,10 @@ default_field: false - name: command_line level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text - type: text - norms: false + type: match_only_text description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. @@ -4392,6 +4451,12 @@ ignore_above: 1024 description: telfhash symbol hash for ELF file. default_field: false + - name: end + level: extended + type: date + description: The time the process ended. + example: '2016-05-23T08:05:34.853Z' + default_field: false - name: entity_id level: extended type: keyword @@ -4413,8 +4478,7 @@ ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text default_field: false description: Absolute path to the process executable. example: /usr/bin/ssh @@ -4459,8 +4523,7 @@ ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text default_field: false description: 'Process name. @@ -4486,6 +4549,16 @@ indication of suspicious activity.' example: 4 default_field: false + - name: parent.code_signature.digest_algorithm + level: extended + type: keyword + ignore_above: 1024 + description: 'The hashing algorithm used to sign the process. + + This value can distinguish signatures when a file is signed multiple times + by the same signer but with a different digest algorithm.' + example: sha256 + default_field: false - name: parent.code_signature.exists level: core type: boolean @@ -4530,6 +4603,12 @@ is relevant to Apple *OS only.' example: EQHXZ8M8AV default_field: false + - name: parent.code_signature.timestamp + level: extended + type: date + description: Date and time when the code signature was generated and signed. + example: '2021-01-01T12:10:30Z' + default_field: false - name: parent.code_signature.trusted level: extended type: boolean @@ -4550,12 +4629,10 @@ default_field: false - name: parent.command_line level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text - type: text - norms: false + type: match_only_text description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. @@ -4741,6 +4818,12 @@ ignore_above: 1024 description: telfhash symbol hash for ELF file. default_field: false + - name: parent.end + level: extended + type: date + description: The time the process ended. + example: '2016-05-23T08:05:34.853Z' + default_field: false - name: parent.entity_id level: extended type: keyword @@ -4762,8 +4845,7 @@ ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text description: Absolute path to the process executable. example: /usr/bin/ssh default_field: false @@ -4812,8 +4894,7 @@ ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text description: 'Process name. Sometimes called program name or similar.' @@ -4918,8 +4999,7 @@ ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text description: 'Process title. The proctitle, some times the same as process name. Can also be different: @@ -4937,8 +5017,7 @@ ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text description: The working directory of the process. example: /home/alice default_field: false @@ -5035,8 +5114,7 @@ ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text default_field: false description: 'Process title. @@ -5053,8 +5131,7 @@ ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text default_field: false description: The working directory of the process. example: /home/alice @@ -5077,8 +5154,7 @@ default_field: false - name: data.strings level: core - type: keyword - ignore_above: 1024 + type: wildcard description: 'Content when writing string types. Populated as an array when writing string data to the registry. For single @@ -5301,8 +5377,7 @@ ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text default_field: false description: Organization name. example: Google LLC @@ -5490,8 +5565,7 @@ ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text default_field: false description: User's full name, if available. example: Albert Einstein @@ -5526,17 +5600,17 @@ type: keyword ignore_above: 1024 description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 - name: user.name level: core type: keyword ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text default_field: false description: Short name or login of the user. - example: albert + example: a.einstein - name: user.roles level: extended type: keyword @@ -5553,6 +5627,27 @@ These fields help you find and correlate logs for a specific service and version.' type: group fields: + - name: address + level: extended + type: keyword + ignore_above: 1024 + description: 'Address where data about this service was collected from. + + This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource + path (sockets).' + example: 172.26.0.2:5432 + default_field: false + - name: environment + level: extended + type: keyword + ignore_above: 1024 + description: 'Identifies the environment where the service is running. + + If the same service runs in different environments (production, staging, QA, + development, etc.), the environment can identify other instances of the same + service. Can also group services and applications from the same environment.' + example: production + default_field: false - name: ephemeral_id level: extended type: keyword @@ -5667,8 +5762,7 @@ ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text default_field: false description: Organization name. example: Google LLC @@ -5856,8 +5950,7 @@ ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text default_field: false description: User's full name, if available. example: Albert Einstein @@ -5892,17 +5985,17 @@ type: keyword ignore_above: 1024 description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 - name: user.name level: core type: keyword ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text default_field: false description: Short name or login of the user. - example: albert + example: a.einstein - name: user.roles level: extended type: keyword @@ -5946,8 +6039,7 @@ ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text description: Organization name. example: Google LLC default_field: false @@ -5994,6 +6086,16 @@ execute, hidden, read, readonly, system, write.' example: '["readonly", "system"]' default_field: false + - name: enrichments.indicator.file.code_signature.digest_algorithm + level: extended + type: keyword + ignore_above: 1024 + description: 'The hashing algorithm used to sign the process. + + This value can distinguish signatures when a file is signed multiple times + by the same signer but with a different digest algorithm.' + example: sha256 + default_field: false - name: enrichments.indicator.file.code_signature.exists level: core type: boolean @@ -6038,6 +6140,12 @@ is relevant to Apple *OS only.' example: EQHXZ8M8AV default_field: false + - name: enrichments.indicator.file.code_signature.timestamp + level: extended + type: date + description: Date and time when the code signature was generated and signed. + example: '2021-01-01T12:10:30Z' + default_field: false - name: enrichments.indicator.file.code_signature.trusted level: extended type: boolean @@ -6285,6 +6393,25 @@ the last one should be captured ("gz", not "tar.gz").' example: png default_field: false + - name: enrichments.indicator.file.fork_name + level: extended + type: keyword + ignore_above: 1024 + description: 'A fork is additional data associated with a filesystem object. + + On Linux, a resource fork is used to store additional data with a filesystem + object. A file always has at least one fork for the data portion, and additional + forks may exist. + + On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default + data stream for a file is just called $DATA. Zone.Identifier is commonly used + by Windows to track contents downloaded from the Internet. An ADS is typically + of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` + is the value that should populate `fork_name`. `filename.extension` should + populate `file.name`, and `extension` should populate `file.extension`. The + full path, `file.path`, will include the fork name.' + example: Zone.Identifer + default_field: false - name: enrichments.indicator.file.gid level: extended type: keyword @@ -6299,6 +6426,36 @@ description: Primary group name of the file. example: alice default_field: false + - name: enrichments.indicator.file.hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash. + default_field: false + - name: enrichments.indicator.file.hash.sha1 + level: extended + type: keyword + ignore_above: 1024 + description: SHA1 hash. + default_field: false + - name: enrichments.indicator.file.hash.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash. + default_field: false + - name: enrichments.indicator.file.hash.sha512 + level: extended + type: keyword + ignore_above: 1024 + description: SHA512 hash. + default_field: false + - name: enrichments.indicator.file.hash.ssdeep + level: extended + type: keyword + ignore_above: 1024 + description: SSDEEP hash. + default_field: false - name: enrichments.indicator.file.inode level: extended type: keyword @@ -6347,12 +6504,64 @@ ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text description: Full path to the file, including the file name. It should include the drive letter, when appropriate. example: /home/alice/example.png default_field: false + - name: enrichments.indicator.file.pe.architecture + level: extended + type: keyword + ignore_above: 1024 + description: CPU architecture target for the file. + example: x64 + default_field: false + - name: enrichments.indicator.file.pe.company + level: extended + type: keyword + ignore_above: 1024 + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + default_field: false + - name: enrichments.indicator.file.pe.description + level: extended + type: keyword + ignore_above: 1024 + description: Internal description of the file, provided at compile-time. + example: Paint + default_field: false + - name: enrichments.indicator.file.pe.file_version + level: extended + type: keyword + ignore_above: 1024 + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + default_field: false + - name: enrichments.indicator.file.pe.imphash + level: extended + type: keyword + ignore_above: 1024 + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + default_field: false + - name: enrichments.indicator.file.pe.original_file_name + level: extended + type: keyword + ignore_above: 1024 + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + default_field: false + - name: enrichments.indicator.file.pe.product + level: extended + type: keyword + ignore_above: 1024 + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + default_field: false - name: enrichments.indicator.file.size level: extended type: long @@ -6367,8 +6576,7 @@ ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text description: Target path for symlinks. default_field: false - name: enrichments.indicator.file.type @@ -6477,36 +6685,6 @@ description: The time zone of the location, such as IANA time zone name. example: America/Argentina/Buenos_Aires default_field: false - - name: enrichments.indicator.hash.md5 - level: extended - type: keyword - ignore_above: 1024 - description: MD5 hash. - default_field: false - - name: enrichments.indicator.hash.sha1 - level: extended - type: keyword - ignore_above: 1024 - description: SHA1 hash. - default_field: false - - name: enrichments.indicator.hash.sha256 - level: extended - type: keyword - ignore_above: 1024 - description: SHA256 hash. - default_field: false - - name: enrichments.indicator.hash.sha512 - level: extended - type: keyword - ignore_above: 1024 - description: SHA512 hash. - default_field: false - - name: enrichments.indicator.hash.ssdeep - level: extended - type: keyword - ignore_above: 1024 - description: SSDEEP hash. - default_field: false - name: enrichments.indicator.ip level: extended type: ip @@ -6536,59 +6714,6 @@ for this indicator. example: '2020-11-05T17:25:47.000Z' default_field: false - - name: enrichments.indicator.pe.architecture - level: extended - type: keyword - ignore_above: 1024 - description: CPU architecture target for the file. - example: x64 - default_field: false - - name: enrichments.indicator.pe.company - level: extended - type: keyword - ignore_above: 1024 - description: Internal company name of the file, provided at compile-time. - example: Microsoft Corporation - default_field: false - - name: enrichments.indicator.pe.description - level: extended - type: keyword - ignore_above: 1024 - description: Internal description of the file, provided at compile-time. - example: Paint - default_field: false - - name: enrichments.indicator.pe.file_version - level: extended - type: keyword - ignore_above: 1024 - description: Internal version of the file, provided at compile-time. - example: 6.3.9600.17415 - default_field: false - - name: enrichments.indicator.pe.imphash - level: extended - type: keyword - ignore_above: 1024 - description: 'A hash of the imports in a PE file. An imphash -- or import hash - -- can be used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' - example: 0c6803c4e922103c4dca5963aad36ddf - default_field: false - - name: enrichments.indicator.pe.original_file_name - level: extended - type: keyword - ignore_above: 1024 - description: Internal name of the file, provided at compile-time. - example: MSPAINT.EXE - default_field: false - - name: enrichments.indicator.pe.product - level: extended - type: keyword - ignore_above: 1024 - description: Internal product name of the file, provided at compile-time. - example: "Microsoft\xAE Windows\xAE Operating System" - default_field: false - name: enrichments.indicator.port level: extended type: long @@ -6623,8 +6748,7 @@ default_field: false - name: enrichments.indicator.registry.data.strings level: core - type: keyword - ignore_above: 1024 + type: wildcard description: 'Content when writing string types. Populated as an array when writing string data to the registry. For single @@ -6734,12 +6858,10 @@ default_field: false - name: enrichments.indicator.url.full level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text - type: text - norms: false + type: match_only_text description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. @@ -6747,12 +6869,10 @@ default_field: false - name: enrichments.indicator.url.original level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text - type: text - norms: false + type: match_only_text description: 'Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas @@ -6769,8 +6889,7 @@ default_field: false - name: enrichments.indicator.url.path level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: Path of the request, such as "/search". default_field: false - name: enrichments.indicator.url.port @@ -7071,8 +7190,8 @@ type: keyword ignore_above: 1024 description: "The alias(es) of the group for a set of related intrusion activity\ - \ that are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group alias(es)." + \ that are tracked by a common name in the security community.\nWhile not\ + \ required, you can use a MITRE ATT&CK\xAE group alias(es)." example: '[ "Magecart Group 6" ]' default_field: false - name: group.id @@ -7080,7 +7199,7 @@ type: keyword ignore_above: 1024 description: "The id of the group for a set of related intrusion activity that\ - \ are tracked by a common name in the security community. While not required,\ + \ are tracked by a common name in the security community.\nWhile not required,\ \ you can use a MITRE ATT&CK\xAE group id." example: G0037 default_field: false @@ -7089,8 +7208,8 @@ type: keyword ignore_above: 1024 description: "The name of the group for a set of related intrusion activity\ - \ that are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group name." + \ that are tracked by a common name in the security community.\nWhile not\ + \ required, you can use a MITRE ATT&CK\xAE group name." example: FIN6 default_field: false - name: group.reference @@ -7098,8 +7217,8 @@ type: keyword ignore_above: 1024 description: "The reference URL of the group for a set of related intrusion\ - \ activity that are tracked by a common name in the security community. While\ - \ not required, you can use a MITRE ATT&CK\xAE group reference URL." + \ activity that are tracked by a common name in the security community.\n\ + While not required, you can use a MITRE ATT&CK\xAE group reference URL." example: https://attack.mitre.org/groups/G0037/ default_field: false - name: indicator.as.number @@ -7115,8 +7234,7 @@ ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text description: Organization name. example: Google LLC default_field: false @@ -7163,6 +7281,16 @@ execute, hidden, read, readonly, system, write.' example: '["readonly", "system"]' default_field: false + - name: indicator.file.code_signature.digest_algorithm + level: extended + type: keyword + ignore_above: 1024 + description: 'The hashing algorithm used to sign the process. + + This value can distinguish signatures when a file is signed multiple times + by the same signer but with a different digest algorithm.' + example: sha256 + default_field: false - name: indicator.file.code_signature.exists level: core type: boolean @@ -7207,6 +7335,12 @@ is relevant to Apple *OS only.' example: EQHXZ8M8AV default_field: false + - name: indicator.file.code_signature.timestamp + level: extended + type: date + description: Date and time when the code signature was generated and signed. + example: '2021-01-01T12:10:30Z' + default_field: false - name: indicator.file.code_signature.trusted level: extended type: boolean @@ -7454,6 +7588,25 @@ the last one should be captured ("gz", not "tar.gz").' example: png default_field: false + - name: indicator.file.fork_name + level: extended + type: keyword + ignore_above: 1024 + description: 'A fork is additional data associated with a filesystem object. + + On Linux, a resource fork is used to store additional data with a filesystem + object. A file always has at least one fork for the data portion, and additional + forks may exist. + + On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default + data stream for a file is just called $DATA. Zone.Identifier is commonly used + by Windows to track contents downloaded from the Internet. An ADS is typically + of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` + is the value that should populate `fork_name`. `filename.extension` should + populate `file.name`, and `extension` should populate `file.extension`. The + full path, `file.path`, will include the fork name.' + example: Zone.Identifer + default_field: false - name: indicator.file.gid level: extended type: keyword @@ -7468,6 +7621,36 @@ description: Primary group name of the file. example: alice default_field: false + - name: indicator.file.hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash. + default_field: false + - name: indicator.file.hash.sha1 + level: extended + type: keyword + ignore_above: 1024 + description: SHA1 hash. + default_field: false + - name: indicator.file.hash.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash. + default_field: false + - name: indicator.file.hash.sha512 + level: extended + type: keyword + ignore_above: 1024 + description: SHA512 hash. + default_field: false + - name: indicator.file.hash.ssdeep + level: extended + type: keyword + ignore_above: 1024 + description: SSDEEP hash. + default_field: false - name: indicator.file.inode level: extended type: keyword @@ -7516,12 +7699,64 @@ ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text description: Full path to the file, including the file name. It should include the drive letter, when appropriate. example: /home/alice/example.png default_field: false + - name: indicator.file.pe.architecture + level: extended + type: keyword + ignore_above: 1024 + description: CPU architecture target for the file. + example: x64 + default_field: false + - name: indicator.file.pe.company + level: extended + type: keyword + ignore_above: 1024 + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + default_field: false + - name: indicator.file.pe.description + level: extended + type: keyword + ignore_above: 1024 + description: Internal description of the file, provided at compile-time. + example: Paint + default_field: false + - name: indicator.file.pe.file_version + level: extended + type: keyword + ignore_above: 1024 + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + default_field: false + - name: indicator.file.pe.imphash + level: extended + type: keyword + ignore_above: 1024 + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + default_field: false + - name: indicator.file.pe.original_file_name + level: extended + type: keyword + ignore_above: 1024 + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + default_field: false + - name: indicator.file.pe.product + level: extended + type: keyword + ignore_above: 1024 + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + default_field: false - name: indicator.file.size level: extended type: long @@ -7536,8 +7771,7 @@ ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text description: Target path for symlinks. default_field: false - name: indicator.file.type @@ -7646,36 +7880,6 @@ description: The time zone of the location, such as IANA time zone name. example: America/Argentina/Buenos_Aires default_field: false - - name: indicator.hash.md5 - level: extended - type: keyword - ignore_above: 1024 - description: MD5 hash. - default_field: false - - name: indicator.hash.sha1 - level: extended - type: keyword - ignore_above: 1024 - description: SHA1 hash. - default_field: false - - name: indicator.hash.sha256 - level: extended - type: keyword - ignore_above: 1024 - description: SHA256 hash. - default_field: false - - name: indicator.hash.sha512 - level: extended - type: keyword - ignore_above: 1024 - description: SHA512 hash. - default_field: false - - name: indicator.hash.ssdeep - level: extended - type: keyword - ignore_above: 1024 - description: SSDEEP hash. - default_field: false - name: indicator.ip level: extended type: ip @@ -7705,59 +7909,6 @@ for this indicator. example: '2020-11-05T17:25:47.000Z' default_field: false - - name: indicator.pe.architecture - level: extended - type: keyword - ignore_above: 1024 - description: CPU architecture target for the file. - example: x64 - default_field: false - - name: indicator.pe.company - level: extended - type: keyword - ignore_above: 1024 - description: Internal company name of the file, provided at compile-time. - example: Microsoft Corporation - default_field: false - - name: indicator.pe.description - level: extended - type: keyword - ignore_above: 1024 - description: Internal description of the file, provided at compile-time. - example: Paint - default_field: false - - name: indicator.pe.file_version - level: extended - type: keyword - ignore_above: 1024 - description: Internal version of the file, provided at compile-time. - example: 6.3.9600.17415 - default_field: false - - name: indicator.pe.imphash - level: extended - type: keyword - ignore_above: 1024 - description: 'A hash of the imports in a PE file. An imphash -- or import hash - -- can be used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' - example: 0c6803c4e922103c4dca5963aad36ddf - default_field: false - - name: indicator.pe.original_file_name - level: extended - type: keyword - ignore_above: 1024 - description: Internal name of the file, provided at compile-time. - example: MSPAINT.EXE - default_field: false - - name: indicator.pe.product - level: extended - type: keyword - ignore_above: 1024 - description: Internal product name of the file, provided at compile-time. - example: "Microsoft\xAE Windows\xAE Operating System" - default_field: false - name: indicator.port level: extended type: long @@ -7792,8 +7943,7 @@ default_field: false - name: indicator.registry.data.strings level: core - type: keyword - ignore_above: 1024 + type: wildcard description: 'Content when writing string types. Populated as an array when writing string data to the registry. For single @@ -7903,12 +8053,10 @@ default_field: false - name: indicator.url.full level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text - type: text - norms: false + type: match_only_text description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. @@ -7916,12 +8064,10 @@ default_field: false - name: indicator.url.original level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text - type: text - norms: false + type: match_only_text description: 'Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas @@ -7938,8 +8084,7 @@ default_field: false - name: indicator.url.path level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: Path of the request, such as "/search". default_field: false - name: indicator.url.port @@ -8188,12 +8333,21 @@ description: Version of x509 format. example: 3 default_field: false + - name: software.alias + level: extended + type: keyword + ignore_above: 1024 + description: "The alias(es) of the software for a set of related intrusion activity\ + \ that are tracked by a common name in the security community.\nWhile not\ + \ required, you can use a MITRE ATT&CK\xAE associated software description." + example: '[ "X-Agent" ]' + default_field: false - name: software.id level: extended type: keyword ignore_above: 1024 description: "The id of the software used by this threat to conduct behavior\ - \ commonly modeled using MITRE ATT&CK\xAE. While not required, you can use\ + \ commonly modeled using MITRE ATT&CK\xAE.\nWhile not required, you can use\ \ a MITRE ATT&CK\xAE software id." example: S0552 default_field: false @@ -8202,7 +8356,7 @@ type: keyword ignore_above: 1024 description: "The name of the software used by this threat to conduct behavior\ - \ commonly modeled using MITRE ATT&CK\xAE. While not required, you can use\ + \ commonly modeled using MITRE ATT&CK\xAE.\nWhile not required, you can use\ \ a MITRE ATT&CK\xAE software name." example: AdFind default_field: false @@ -8211,10 +8365,10 @@ type: keyword ignore_above: 1024 description: "The platforms of the software used by this threat to conduct behavior\ - \ commonly modeled using MITRE ATT&CK\xAE. While not required, you can use\ - \ a MITRE ATT&CK\xAE software platforms.\nRecommended Values:\n * AWS\n \ - \ * Azure\n * Azure AD\n * GCP\n * Linux\n * macOS\n * Network\n * Office\ - \ 365\n * SaaS\n * Windows" + \ commonly modeled using MITRE ATT&CK\xAE.\nRecommended Values:\n * AWS\n\ + \ * Azure\n * Azure AD\n * GCP\n * Linux\n * macOS\n * Network\n *\ + \ Office 365\n * SaaS\n * Windows\n\nWhile not required, you can use a MITRE\ + \ ATT&CK\xAE software platforms." example: '[ "Windows" ]' default_field: false - name: software.reference @@ -8222,7 +8376,7 @@ type: keyword ignore_above: 1024 description: "The reference URL of the software used by this threat to conduct\ - \ behavior commonly modeled using MITRE ATT&CK\xAE. While not required, you\ + \ behavior commonly modeled using MITRE ATT&CK\xAE.\nWhile not required, you\ \ can use a MITRE ATT&CK\xAE software reference URL." example: https://attack.mitre.org/software/S0552/ default_field: false @@ -8231,8 +8385,8 @@ type: keyword ignore_above: 1024 description: "The type of software used by this threat to conduct behavior commonly\ - \ modeled using MITRE ATT&CK\xAE. While not required, you can use a MITRE\ - \ ATT&CK\xAE software type.\nRecommended values\n * Malware\n * Tool" + \ modeled using MITRE ATT&CK\xAE.\nRecommended values\n * Malware\n * Tool\n\ + \n While not required, you can use a MITRE ATT&CK\xAE software type." example: Tool default_field: false - name: tactic.id @@ -8270,8 +8424,7 @@ ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text default_field: false description: "The name of technique used by this threat. You can use a MITRE\ \ ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)" @@ -8297,8 +8450,7 @@ ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text description: "The name of subtechnique used by this threat. You can use a MITRE\ \ ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)" example: PowerShell @@ -8966,12 +9118,10 @@ The `#` is not part of the fragment.' - name: full level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text - type: text - norms: false + type: match_only_text default_field: false description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event @@ -8979,12 +9129,10 @@ example: https://www.elastic.co:443/search?q=elasticsearch#top - name: original level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text - type: text - norms: false + type: match_only_text default_field: false description: 'Unmodified original url as seen in the event source. @@ -9000,8 +9148,7 @@ description: Password of the request. - name: path level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: Path of the request, such as "/search". - name: port level: extended @@ -9101,8 +9248,7 @@ ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text description: User's full name, if available. example: Albert Einstein default_field: false @@ -9141,6 +9287,7 @@ type: keyword ignore_above: 1024 description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 default_field: false - name: changes.name level: core @@ -9148,10 +9295,9 @@ ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text description: Short name or login of the user. - example: albert + example: a.einstein default_field: false - name: changes.roles level: extended @@ -9187,8 +9333,7 @@ ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text description: User's full name, if available. example: Albert Einstein default_field: false @@ -9227,6 +9372,7 @@ type: keyword ignore_above: 1024 description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 default_field: false - name: effective.name level: core @@ -9234,10 +9380,9 @@ ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text description: Short name or login of the user. - example: albert + example: a.einstein default_field: false - name: effective.roles level: extended @@ -9257,8 +9402,7 @@ ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text default_field: false description: User's full name, if available. example: Albert Einstein @@ -9293,17 +9437,17 @@ type: keyword ignore_above: 1024 description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 - name: name level: core type: keyword ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text default_field: false description: Short name or login of the user. - example: albert + example: a.einstein - name: roles level: extended type: keyword @@ -9331,8 +9475,7 @@ ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text description: User's full name, if available. example: Albert Einstein default_field: false @@ -9371,6 +9514,7 @@ type: keyword ignore_above: 1024 description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 default_field: false - name: target.name level: core @@ -9378,10 +9522,9 @@ ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text description: Short name or login of the user. - example: albert + example: a.einstein default_field: false - name: target.roles level: extended @@ -9416,8 +9559,7 @@ ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text description: Unparsed user_agent string. example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 @@ -9433,8 +9575,7 @@ ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text default_field: false description: Operating system name, including the version or code name. example: Mac OS Mojave @@ -9450,8 +9591,7 @@ ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text default_field: false description: Operating system name, without the version. example: Mac OS X @@ -9556,8 +9696,7 @@ ignore_above: 1024 multi_fields: - name: text - type: text - norms: false + type: match_only_text description: The description of the vulnerability that provides additional context of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common Vulnerabilities and Exposure CVE description]) diff --git a/libbeat/mapping/field.go b/libbeat/mapping/field.go index 9b26284981f8..13342a5f9be8 100644 --- a/libbeat/mapping/field.go +++ b/libbeat/mapping/field.go @@ -141,7 +141,7 @@ func (f *Field) Validate() error { func (f *Field) validateType() error { var allowedFormatters, allowedMetricTypes, allowedUnits []string switch strings.ToLower(f.Type) { - case "text", "keyword", "wildcard", "constant_keyword": + case "text", "keyword", "wildcard", "constant_keyword", "match_only_text": allowedFormatters = []string{"string", "url"} case "long", "integer", "short", "byte", "double", "float", "half_float", "scaled_float", "histogram": allowedFormatters = []string{"string", "url", "bytes", "duration", "number", "percent", "color"} diff --git a/libbeat/template/processor.go b/libbeat/template/processor.go index 2cd06f6d94e4..ef4ae3c85db4 100644 --- a/libbeat/template/processor.go +++ b/libbeat/template/processor.go @@ -32,6 +32,7 @@ var ( minVersionHistogram = common.MustNewVersion("7.6.0") minVersionWildcard = common.MustNewVersion("7.9.0") minVersionExplicitDynamicTemplate = common.MustNewVersion("7.13.0") + minVersionMatchOnlyText = common.MustNewVersion("7.14.0") ) // Processor struct to process fields to template @@ -87,6 +88,13 @@ func (p *Processor) Process(fields mapping.Fields, state *fieldState, output com indexMapping = p.integer(&field) case "text": indexMapping = p.text(&field) + case "match_only_text": + noMatchOnlyText := p.EsVersion.LessThan(minVersionMatchOnlyText) + if !p.ElasticLicensed || noMatchOnlyText { + indexMapping = p.text(&field) + } else { + indexMapping = p.matchOnlyText(&field) + } case "wildcard": noWildcards := p.EsVersion.LessThan(minVersionWildcard) if !p.ElasticLicensed || noWildcards { @@ -342,6 +350,28 @@ func (p *Processor) text(f *mapping.Field) common.MapStr { return properties } +func (p *Processor) matchOnlyText(f *mapping.Field) common.MapStr { + properties := p.getDefaultProperties(f) + + properties["type"] = "match_only_text" + + if f.Analyzer != "" { + properties["analyzer"] = f.Analyzer + } + + if f.SearchAnalyzer != "" { + properties["search_analyzer"] = f.SearchAnalyzer + } + + if len(f.MultiFields) > 0 { + fields := common.MapStr{} + p.Process(f.MultiFields, nil, fields) + properties["fields"] = fields + } + + return properties +} + func (p *Processor) array(f *mapping.Field) common.MapStr { properties := p.getDefaultProperties(f) if f.ObjectType != "" { diff --git a/metricbeat/_meta/fields.common.yml b/metricbeat/_meta/fields.common.yml index 44bab6f614e0..13816fff32c7 100644 --- a/metricbeat/_meta/fields.common.yml +++ b/metricbeat/_meta/fields.common.yml @@ -20,11 +20,6 @@ description: > Current data collection period for this event in milliseconds. - - name: service.address - description: > - Address of the machine where the service is running. This - field may not be present when the data was collected locally. - - name: service.hostname description: > Host name of the machine where the service is running. diff --git a/metricbeat/cmd/root.go b/metricbeat/cmd/root.go index 3c8641b1f5b7..426475c854a0 100644 --- a/metricbeat/cmd/root.go +++ b/metricbeat/cmd/root.go @@ -43,7 +43,7 @@ const ( Name = "metricbeat" // ecsVersion specifies the version of ECS that this beat is implementing. - ecsVersion = "1.11.0" + ecsVersion = "1.12.0" ) // RootCmd to handle beats cli diff --git a/metricbeat/docs/fields.asciidoc b/metricbeat/docs/fields.asciidoc index 4ffb71c8dfe7..ed645e2a2fa1 100644 --- a/metricbeat/docs/fields.asciidoc +++ b/metricbeat/docs/fields.asciidoc @@ -10320,14 +10320,6 @@ Current data collection period for this event in milliseconds. type: integer --- - -*`service.address`*:: -+ --- -Address of the machine where the service is running. This field may not be present when the data was collected locally. - - -- *`service.hostname`*:: @@ -12901,7 +12893,7 @@ For log events the message field contains the log message, optimized for viewing For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. -type: text +type: match_only_text example: Hello World @@ -13028,7 +13020,7 @@ example: Google LLC *`as.organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -13075,7 +13067,7 @@ example: Google LLC *`client.as.organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -13360,7 +13352,7 @@ example: Albert Einstein *`client.user.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -13409,6 +13401,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`client.user.name`*:: @@ -13418,14 +13412,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`client.user.name.text`*:: + -- -type: text +type: match_only_text -- @@ -13576,6 +13570,18 @@ example: lambda These fields contain information about binary code signatures. +*`code_signature.digest_algorithm`*:: ++ +-- +The hashing algorithm used to sign the process. +This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + +type: keyword + +example: sha256 + +-- + *`code_signature.exists`*:: + -- @@ -13634,6 +13640,17 @@ example: EQHXZ8M8AV -- +*`code_signature.timestamp`*:: ++ +-- +Date and time when the code signature was generated and signed. + +type: date + +example: 2021-01-01T12:10:30Z + +-- + *`code_signature.trusted`*:: + -- @@ -13813,7 +13830,7 @@ example: Google LLC *`destination.as.organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -14098,7 +14115,7 @@ example: Albert Einstein *`destination.user.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -14147,6 +14164,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`destination.user.name`*:: @@ -14156,14 +14175,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`destination.user.name.text`*:: + -- -type: text +type: match_only_text -- @@ -14189,6 +14208,18 @@ Many operating systems refer to "shared code libraries" with different names, bu * Dynamic library (`.dylib`) commonly used on macOS +*`dll.code_signature.digest_algorithm`*:: ++ +-- +The hashing algorithm used to sign the process. +This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + +type: keyword + +example: sha256 + +-- + *`dll.code_signature.exists`*:: + -- @@ -14247,6 +14278,17 @@ example: EQHXZ8M8AV -- +*`dll.code_signature.timestamp`*:: ++ +-- +Date and time when the code signature was generated and signed. + +type: date + +example: 2021-01-01T12:10:30Z + +-- + *`dll.code_signature.trusted`*:: + -- @@ -14970,7 +15012,7 @@ type: keyword -- Error message. -type: text +type: match_only_text -- @@ -14979,16 +15021,14 @@ type: text -- The stack trace of this error in plain text. -type: keyword - -Field is not indexed. +type: wildcard -- *`error.stack_trace.text`*:: + -- -type: text +type: match_only_text -- @@ -15355,6 +15395,18 @@ example: ["readonly", "system"] -- +*`file.code_signature.digest_algorithm`*:: ++ +-- +The hashing algorithm used to sign the process. +This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + +type: keyword + +example: sha256 + +-- + *`file.code_signature.exists`*:: + -- @@ -15413,6 +15465,17 @@ example: EQHXZ8M8AV -- +*`file.code_signature.timestamp`*:: ++ +-- +Date and time when the code signature was generated and signed. + +type: date + +example: 2021-01-01T12:10:30Z + +-- + *`file.code_signature.trusted`*:: + -- @@ -15784,6 +15847,19 @@ example: png -- +*`file.fork_name`*:: ++ +-- +A fork is additional data associated with a filesystem object. +On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist. +On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name. + +type: keyword + +example: Zone.Identifer + +-- + *`file.gid`*:: + -- @@ -15927,7 +16003,7 @@ example: /home/alice/example.png *`file.path.text`*:: + -- -type: text +type: match_only_text -- @@ -16033,7 +16109,7 @@ type: keyword *`file.target_path.text`*:: + -- -type: text +type: match_only_text -- @@ -16837,7 +16913,7 @@ example: Mac OS Mojave *`host.os.full.text`*:: + -- -type: text +type: match_only_text -- @@ -16866,7 +16942,7 @@ example: Mac OS X *`host.os.name.text`*:: + -- -type: text +type: match_only_text -- @@ -16959,7 +17035,7 @@ example: Albert Einstein *`host.user.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -17008,6 +17084,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`host.user.name`*:: @@ -17017,14 +17095,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`host.user.name.text`*:: + -- -type: text +type: match_only_text -- @@ -17063,7 +17141,7 @@ format: bytes -- The full HTTP request body. -type: keyword +type: wildcard example: Hello world @@ -17072,7 +17150,7 @@ example: Hello world *`http.request.body.content.text`*:: + -- -type: text +type: match_only_text -- @@ -17156,7 +17234,7 @@ format: bytes -- The full HTTP response body. -type: keyword +type: wildcard example: Hello world @@ -17165,7 +17243,7 @@ example: Hello world *`http.response.body.content.text`*:: + -- -type: text +type: match_only_text -- @@ -17974,7 +18052,7 @@ example: Mac OS Mojave *`observer.os.full.text`*:: + -- -type: text +type: match_only_text -- @@ -18003,7 +18081,7 @@ example: Mac OS X *`observer.os.name.text`*:: + -- -type: text +type: match_only_text -- @@ -18221,7 +18299,7 @@ type: keyword *`organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -18256,7 +18334,7 @@ example: Mac OS Mojave *`os.full.text`*:: + -- -type: text +type: match_only_text -- @@ -18285,7 +18363,7 @@ example: Mac OS X *`os.name.text`*:: + -- -type: text +type: match_only_text -- @@ -18591,6 +18669,18 @@ example: 4 -- +*`process.code_signature.digest_algorithm`*:: ++ +-- +The hashing algorithm used to sign the process. +This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + +type: keyword + +example: sha256 + +-- + *`process.code_signature.exists`*:: + -- @@ -18649,6 +18739,17 @@ example: EQHXZ8M8AV -- +*`process.code_signature.timestamp`*:: ++ +-- +Date and time when the code signature was generated and signed. + +type: date + +example: 2021-01-01T12:10:30Z + +-- + *`process.code_signature.trusted`*:: + -- @@ -18679,7 +18780,7 @@ example: true Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. -type: keyword +type: wildcard example: /usr/bin/ssh -l user 10.0.0.16 @@ -18688,7 +18789,7 @@ example: /usr/bin/ssh -l user 10.0.0.16 *`process.command_line.text`*:: + -- -type: text +type: match_only_text -- @@ -18973,6 +19074,17 @@ type: keyword -- +*`process.end`*:: ++ +-- +The time the process ended. + +type: date + +example: 2016-05-23T08:05:34.853Z + +-- + *`process.entity_id`*:: + -- @@ -19000,7 +19112,7 @@ example: /usr/bin/ssh *`process.executable.text`*:: + -- -type: text +type: match_only_text -- @@ -19076,7 +19188,7 @@ example: ssh *`process.name.text`*:: + -- -type: text +type: match_only_text -- @@ -19104,6 +19216,18 @@ example: 4 -- +*`process.parent.code_signature.digest_algorithm`*:: ++ +-- +The hashing algorithm used to sign the process. +This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + +type: keyword + +example: sha256 + +-- + *`process.parent.code_signature.exists`*:: + -- @@ -19162,6 +19286,17 @@ example: EQHXZ8M8AV -- +*`process.parent.code_signature.timestamp`*:: ++ +-- +Date and time when the code signature was generated and signed. + +type: date + +example: 2021-01-01T12:10:30Z + +-- + *`process.parent.code_signature.trusted`*:: + -- @@ -19192,7 +19327,7 @@ example: true Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. -type: keyword +type: wildcard example: /usr/bin/ssh -l user 10.0.0.16 @@ -19201,7 +19336,7 @@ example: /usr/bin/ssh -l user 10.0.0.16 *`process.parent.command_line.text`*:: + -- -type: text +type: match_only_text -- @@ -19486,6 +19621,17 @@ type: keyword -- +*`process.parent.end`*:: ++ +-- +The time the process ended. + +type: date + +example: 2016-05-23T08:05:34.853Z + +-- + *`process.parent.entity_id`*:: + -- @@ -19513,7 +19659,7 @@ example: /usr/bin/ssh *`process.parent.executable.text`*:: + -- -type: text +type: match_only_text -- @@ -19589,7 +19735,7 @@ example: ssh *`process.parent.name.text`*:: + -- -type: text +type: match_only_text -- @@ -19756,7 +19902,7 @@ type: keyword *`process.parent.title.text`*:: + -- -type: text +type: match_only_text -- @@ -19785,7 +19931,7 @@ example: /home/alice *`process.parent.working_directory.text`*:: + -- -type: text +type: match_only_text -- @@ -19952,7 +20098,7 @@ type: keyword *`process.title.text`*:: + -- -type: text +type: match_only_text -- @@ -19981,7 +20127,7 @@ example: /home/alice *`process.working_directory.text`*:: + -- -type: text +type: match_only_text -- @@ -20009,7 +20155,7 @@ example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). -type: keyword +type: wildcard example: ["C:\rta\red_ttp\bin\myapp.exe"] @@ -20275,7 +20421,7 @@ example: Google LLC *`server.as.organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -20560,7 +20706,7 @@ example: Albert Einstein *`server.user.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -20609,6 +20755,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`server.user.name`*:: @@ -20618,14 +20766,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`server.user.name.text`*:: + -- -type: text +type: match_only_text -- @@ -20647,6 +20795,30 @@ The service fields describe the service for or from which the data was collected These fields help you find and correlate logs for a specific service and version. +*`service.address`*:: ++ +-- +Address where data about this service was collected from. +This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). + +type: keyword + +example: 172.26.0.2:5432 + +-- + +*`service.environment`*:: ++ +-- +Identifies the environment where the service is running. +If the same service runs in different environments (production, staging, QA, development, etc.), the environment can identify other instances of the same service. Can also group services and applications from the same environment. + +type: keyword + +example: production + +-- + *`service.ephemeral_id`*:: + -- @@ -20774,7 +20946,7 @@ example: Google LLC *`source.as.organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -21059,7 +21231,7 @@ example: Albert Einstein *`source.user.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -21108,6 +21280,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`source.user.name`*:: @@ -21117,14 +21291,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`source.user.name.text`*:: + -- -type: text +type: match_only_text -- @@ -21189,7 +21363,7 @@ example: Google LLC *`threat.enrichments.indicator.as.organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -21253,6 +21427,18 @@ example: ["readonly", "system"] -- +*`threat.enrichments.indicator.file.code_signature.digest_algorithm`*:: ++ +-- +The hashing algorithm used to sign the process. +This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + +type: keyword + +example: sha256 + +-- + *`threat.enrichments.indicator.file.code_signature.exists`*:: + -- @@ -21311,6 +21497,17 @@ example: EQHXZ8M8AV -- +*`threat.enrichments.indicator.file.code_signature.timestamp`*:: ++ +-- +Date and time when the code signature was generated and signed. + +type: date + +example: 2021-01-01T12:10:30Z + +-- + *`threat.enrichments.indicator.file.code_signature.trusted`*:: + -- @@ -21682,6 +21879,19 @@ example: png -- +*`threat.enrichments.indicator.file.fork_name`*:: ++ +-- +A fork is additional data associated with a filesystem object. +On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist. +On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name. + +type: keyword + +example: Zone.Identifer + +-- + *`threat.enrichments.indicator.file.gid`*:: + -- @@ -21704,6 +21914,51 @@ example: alice -- +*`threat.enrichments.indicator.file.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`threat.enrichments.indicator.file.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`threat.enrichments.indicator.file.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`threat.enrichments.indicator.file.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + +*`threat.enrichments.indicator.file.hash.ssdeep`*:: ++ +-- +SSDEEP hash. + +type: keyword + +-- + *`threat.enrichments.indicator.file.inode`*:: + -- @@ -21780,14 +22035,92 @@ example: /home/alice/example.png *`threat.enrichments.indicator.file.path.text`*:: + -- -type: text +type: match_only_text -- -*`threat.enrichments.indicator.file.size`*:: +*`threat.enrichments.indicator.file.pe.architecture`*:: + -- -File size in bytes. +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + +*`threat.enrichments.indicator.file.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`threat.enrichments.indicator.file.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`threat.enrichments.indicator.file.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`threat.enrichments.indicator.file.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + +*`threat.enrichments.indicator.file.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`threat.enrichments.indicator.file.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + +*`threat.enrichments.indicator.file.size`*:: ++ +-- +File size in bytes. Only relevant when `file.type` is "file". type: long @@ -21808,7 +22141,7 @@ type: keyword *`threat.enrichments.indicator.file.target_path.text`*:: + -- -type: text +type: match_only_text -- @@ -21969,51 +22302,6 @@ example: America/Argentina/Buenos_Aires -- -*`threat.enrichments.indicator.hash.md5`*:: -+ --- -MD5 hash. - -type: keyword - --- - -*`threat.enrichments.indicator.hash.sha1`*:: -+ --- -SHA1 hash. - -type: keyword - --- - -*`threat.enrichments.indicator.hash.sha256`*:: -+ --- -SHA256 hash. - -type: keyword - --- - -*`threat.enrichments.indicator.hash.sha512`*:: -+ --- -SHA512 hash. - -type: keyword - --- - -*`threat.enrichments.indicator.hash.ssdeep`*:: -+ --- -SSDEEP hash. - -type: keyword - --- - *`threat.enrichments.indicator.ip`*:: + -- @@ -22062,84 +22350,6 @@ example: 2020-11-05T17:25:47.000Z -- -*`threat.enrichments.indicator.pe.architecture`*:: -+ --- -CPU architecture target for the file. - -type: keyword - -example: x64 - --- - -*`threat.enrichments.indicator.pe.company`*:: -+ --- -Internal company name of the file, provided at compile-time. - -type: keyword - -example: Microsoft Corporation - --- - -*`threat.enrichments.indicator.pe.description`*:: -+ --- -Internal description of the file, provided at compile-time. - -type: keyword - -example: Paint - --- - -*`threat.enrichments.indicator.pe.file_version`*:: -+ --- -Internal version of the file, provided at compile-time. - -type: keyword - -example: 6.3.9600.17415 - --- - -*`threat.enrichments.indicator.pe.imphash`*:: -+ --- -A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. -Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. - -type: keyword - -example: 0c6803c4e922103c4dca5963aad36ddf - --- - -*`threat.enrichments.indicator.pe.original_file_name`*:: -+ --- -Internal name of the file, provided at compile-time. - -type: keyword - -example: MSPAINT.EXE - --- - -*`threat.enrichments.indicator.pe.product`*:: -+ --- -Internal product name of the file, provided at compile-time. - -type: keyword - -example: Microsoft® Windows® Operating System - --- - *`threat.enrichments.indicator.port`*:: + -- @@ -22191,7 +22401,7 @@ example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). -type: keyword +type: wildcard example: ["C:\rta\red_ttp\bin\myapp.exe"] @@ -22344,7 +22554,7 @@ type: keyword -- If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. -type: keyword +type: wildcard example: https://www.elastic.co:443/search?q=elasticsearch#top @@ -22353,7 +22563,7 @@ example: https://www.elastic.co:443/search?q=elasticsearch#top *`threat.enrichments.indicator.url.full.text`*:: + -- -type: text +type: match_only_text -- @@ -22364,7 +22574,7 @@ Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. -type: keyword +type: wildcard example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch @@ -22373,7 +22583,7 @@ example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elas *`threat.enrichments.indicator.url.original.text`*:: + -- -type: text +type: match_only_text -- @@ -22391,7 +22601,7 @@ type: keyword -- Path of the request, such as "/search". -type: keyword +type: wildcard -- @@ -22809,7 +23019,8 @@ example: MITRE ATT&CK *`threat.group.alias`*:: + -- -The alias(es) of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group alias(es). +The alias(es) of the group for a set of related intrusion activity that are tracked by a common name in the security community. +While not required, you can use a MITRE ATT&CK® group alias(es). type: keyword @@ -22820,7 +23031,8 @@ example: [ "Magecart Group 6" ] *`threat.group.id`*:: + -- -The id of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group id. +The id of the group for a set of related intrusion activity that are tracked by a common name in the security community. +While not required, you can use a MITRE ATT&CK® group id. type: keyword @@ -22831,7 +23043,8 @@ example: G0037 *`threat.group.name`*:: + -- -The name of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group name. +The name of the group for a set of related intrusion activity that are tracked by a common name in the security community. +While not required, you can use a MITRE ATT&CK® group name. type: keyword @@ -22842,7 +23055,8 @@ example: FIN6 *`threat.group.reference`*:: + -- -The reference URL of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group reference URL. +The reference URL of the group for a set of related intrusion activity that are tracked by a common name in the security community. +While not required, you can use a MITRE ATT&CK® group reference URL. type: keyword @@ -22875,7 +23089,7 @@ example: Google LLC *`threat.indicator.as.organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -22940,6 +23154,18 @@ example: ["readonly", "system"] -- +*`threat.indicator.file.code_signature.digest_algorithm`*:: ++ +-- +The hashing algorithm used to sign the process. +This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + +type: keyword + +example: sha256 + +-- + *`threat.indicator.file.code_signature.exists`*:: + -- @@ -22998,6 +23224,17 @@ example: EQHXZ8M8AV -- +*`threat.indicator.file.code_signature.timestamp`*:: ++ +-- +Date and time when the code signature was generated and signed. + +type: date + +example: 2021-01-01T12:10:30Z + +-- + *`threat.indicator.file.code_signature.trusted`*:: + -- @@ -23369,6 +23606,19 @@ example: png -- +*`threat.indicator.file.fork_name`*:: ++ +-- +A fork is additional data associated with a filesystem object. +On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist. +On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name. + +type: keyword + +example: Zone.Identifer + +-- + *`threat.indicator.file.gid`*:: + -- @@ -23391,6 +23641,51 @@ example: alice -- +*`threat.indicator.file.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`threat.indicator.file.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`threat.indicator.file.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`threat.indicator.file.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + +*`threat.indicator.file.hash.ssdeep`*:: ++ +-- +SSDEEP hash. + +type: keyword + +-- + *`threat.indicator.file.inode`*:: + -- @@ -23467,7 +23762,85 @@ example: /home/alice/example.png *`threat.indicator.file.path.text`*:: + -- -type: text +type: match_only_text + +-- + +*`threat.indicator.file.pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + +*`threat.indicator.file.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`threat.indicator.file.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`threat.indicator.file.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`threat.indicator.file.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + +*`threat.indicator.file.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`threat.indicator.file.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System -- @@ -23495,7 +23868,7 @@ type: keyword *`threat.indicator.file.target_path.text`*:: + -- -type: text +type: match_only_text -- @@ -23656,51 +24029,6 @@ example: America/Argentina/Buenos_Aires -- -*`threat.indicator.hash.md5`*:: -+ --- -MD5 hash. - -type: keyword - --- - -*`threat.indicator.hash.sha1`*:: -+ --- -SHA1 hash. - -type: keyword - --- - -*`threat.indicator.hash.sha256`*:: -+ --- -SHA256 hash. - -type: keyword - --- - -*`threat.indicator.hash.sha512`*:: -+ --- -SHA512 hash. - -type: keyword - --- - -*`threat.indicator.hash.ssdeep`*:: -+ --- -SSDEEP hash. - -type: keyword - --- - *`threat.indicator.ip`*:: + -- @@ -23750,84 +24078,6 @@ example: 2020-11-05T17:25:47.000Z -- -*`threat.indicator.pe.architecture`*:: -+ --- -CPU architecture target for the file. - -type: keyword - -example: x64 - --- - -*`threat.indicator.pe.company`*:: -+ --- -Internal company name of the file, provided at compile-time. - -type: keyword - -example: Microsoft Corporation - --- - -*`threat.indicator.pe.description`*:: -+ --- -Internal description of the file, provided at compile-time. - -type: keyword - -example: Paint - --- - -*`threat.indicator.pe.file_version`*:: -+ --- -Internal version of the file, provided at compile-time. - -type: keyword - -example: 6.3.9600.17415 - --- - -*`threat.indicator.pe.imphash`*:: -+ --- -A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. -Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. - -type: keyword - -example: 0c6803c4e922103c4dca5963aad36ddf - --- - -*`threat.indicator.pe.original_file_name`*:: -+ --- -Internal name of the file, provided at compile-time. - -type: keyword - -example: MSPAINT.EXE - --- - -*`threat.indicator.pe.product`*:: -+ --- -Internal product name of the file, provided at compile-time. - -type: keyword - -example: Microsoft® Windows® Operating System - --- - *`threat.indicator.port`*:: + -- @@ -23879,7 +24129,7 @@ example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). -type: keyword +type: wildcard example: ["C:\rta\red_ttp\bin\myapp.exe"] @@ -24033,7 +24283,7 @@ type: keyword -- If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. -type: keyword +type: wildcard example: https://www.elastic.co:443/search?q=elasticsearch#top @@ -24042,7 +24292,7 @@ example: https://www.elastic.co:443/search?q=elasticsearch#top *`threat.indicator.url.full.text`*:: + -- -type: text +type: match_only_text -- @@ -24053,7 +24303,7 @@ Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. -type: keyword +type: wildcard example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch @@ -24062,7 +24312,7 @@ example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elas *`threat.indicator.url.original.text`*:: + -- -type: text +type: match_only_text -- @@ -24080,7 +24330,7 @@ type: keyword -- Path of the request, such as "/search". -type: keyword +type: wildcard -- @@ -24429,10 +24679,23 @@ example: 3 -- +*`threat.software.alias`*:: ++ +-- +The alias(es) of the software for a set of related intrusion activity that are tracked by a common name in the security community. +While not required, you can use a MITRE ATT&CK® associated software description. + +type: keyword + +example: [ "X-Agent" ] + +-- + *`threat.software.id`*:: + -- -The id of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software id. +The id of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. +While not required, you can use a MITRE ATT&CK® software id. type: keyword @@ -24443,7 +24706,8 @@ example: S0552 *`threat.software.name`*:: + -- -The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software name. +The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. +While not required, you can use a MITRE ATT&CK® software name. type: keyword @@ -24454,7 +24718,7 @@ example: AdFind *`threat.software.platforms`*:: + -- -The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software platforms. +The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. Recommended Values: * AWS * Azure @@ -24467,6 +24731,8 @@ Recommended Values: * SaaS * Windows +While not required, you can use a MITRE ATT&CK® software platforms. + type: keyword example: [ "Windows" ] @@ -24476,7 +24742,8 @@ example: [ "Windows" ] *`threat.software.reference`*:: + -- -The reference URL of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software reference URL. +The reference URL of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. +While not required, you can use a MITRE ATT&CK® software reference URL. type: keyword @@ -24487,11 +24754,13 @@ example: https://attack.mitre.org/software/S0552/ *`threat.software.type`*:: + -- -The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software type. +The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. Recommended values * Malware * Tool + While not required, you can use a MITRE ATT&CK® software type. + type: keyword example: Tool @@ -24556,7 +24825,7 @@ example: Command and Scripting Interpreter *`threat.technique.name.text`*:: + -- -type: text +type: match_only_text -- @@ -24596,7 +24865,7 @@ example: PowerShell *`threat.technique.subtechnique.name.text`*:: + -- -type: text +type: match_only_text -- @@ -25544,7 +25813,7 @@ type: keyword -- If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. -type: keyword +type: wildcard example: https://www.elastic.co:443/search?q=elasticsearch#top @@ -25553,7 +25822,7 @@ example: https://www.elastic.co:443/search?q=elasticsearch#top *`url.full.text`*:: + -- -type: text +type: match_only_text -- @@ -25564,7 +25833,7 @@ Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. -type: keyword +type: wildcard example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch @@ -25573,7 +25842,7 @@ example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elas *`url.original.text`*:: + -- -type: text +type: match_only_text -- @@ -25591,7 +25860,7 @@ type: keyword -- Path of the request, such as "/search". -type: keyword +type: wildcard -- @@ -25716,7 +25985,7 @@ example: Albert Einstein *`user.changes.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -25765,6 +26034,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`user.changes.name`*:: @@ -25774,14 +26045,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`user.changes.name.text`*:: + -- -type: text +type: match_only_text -- @@ -25839,7 +26110,7 @@ example: Albert Einstein *`user.effective.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -25888,6 +26159,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`user.effective.name`*:: @@ -25897,14 +26170,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`user.effective.name.text`*:: + -- -type: text +type: match_only_text -- @@ -25942,7 +26215,7 @@ example: Albert Einstein *`user.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -25991,6 +26264,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`user.name`*:: @@ -26000,14 +26275,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`user.name.text`*:: + -- -type: text +type: match_only_text -- @@ -26055,7 +26330,7 @@ example: Albert Einstein *`user.target.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -26104,6 +26379,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`user.target.name`*:: @@ -26113,14 +26390,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`user.target.name.text`*:: + -- -type: text +type: match_only_text -- @@ -26178,7 +26455,7 @@ example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605. *`user_agent.original.text`*:: + -- -type: text +type: match_only_text -- @@ -26207,7 +26484,7 @@ example: Mac OS Mojave *`user_agent.os.full.text`*:: + -- -type: text +type: match_only_text -- @@ -26236,7 +26513,7 @@ example: Mac OS X *`user_agent.os.name.text`*:: + -- -type: text +type: match_only_text -- @@ -26360,7 +26637,7 @@ example: In macOS before 2.12.6, there is a vulnerability in the RPC... *`vulnerability.description.text`*:: + -- -type: text +type: match_only_text -- diff --git a/metricbeat/include/fields/fields.go b/metricbeat/include/fields/fields.go index 5c664722863d..5bf3b244c5d7 100644 --- a/metricbeat/include/fields/fields.go +++ b/metricbeat/include/fields/fields.go @@ -32,5 +32,5 @@ func init() { // AssetFieldsYml returns asset data. // This is the base64 encoded zlib format compressed contents of fields.yml. func AssetFieldsYml() string { - return "eJzs/Xt3GzeyKIr/n0+Bn2atn6xsskXqZVn3zL1HkZSJ1vFDY8mT2YlniWA3SGLcBDoAWhSz7/7ud6EKQKMfkilbdOxs7Ycjkt1AoVAo1Lv+Qn4+fvv6/PXf/n/kVBIhDWEZN8TMuCYTnjOSccVSky97hBuyoJpMmWCKGpaR8ZKYGSNnJ5ekUPLfLDW97/5CxlSzjEgB398wpbkUZJgMh8kg+e4v5CJnVDNywzU3ZGZMoY+2t6fczMpxksr5NsupNjzdZqkmRhJdTqdMG5LOqJgy+MqOO+Esz3Ty3Xd98oEtjwhL9XeEGG5ydmQf+I6QjOlU8cJwKeAr8qN7h7i3j74jpE8EnbMjsvm/DZ8zbei82PyOEEJydsPyI5JKxeCzYr+VXLHsiBhV4ldmWbAjklGDH2vzbZ5Sw7btmGQxYwLwxG6YMEQqPuXC4i/5Dt4j5Moim2t4KAvvsVujaGrxPFFyXo3QsxPzlOb5kihWKKaZMFxMYSI3YjVd545pWaqUhfnPJ9EL+BuZUU2E9NDmJKCnh7RxQ/OSAdABmEIWZW6nccO6ySZcaQPvN8BSLGX8poKq4AXLuajgeutwjvtFJlIRmuc4gk5wn9gtnRd20zd3BsOD/mC/v7N7NTg8Guwf7e4lh/u7v2xG25zTMct15wbjbsqxJWP4Av+8xu8/sOVCqqxjo09KbeTcPrCNOCkoVzqs4YQKMmaktGfCSEKzjMyZoYSLiVRzagex37s1kcuZLPMMzmEqhaFcEMG03ToEB8jX/s9xnuMeaEIVI9pIiyiqPaQBgDOPoFEm0w9MjQgVGRl9ONQjh44WJv9rgxZFzlOAbuOIbEyk7I+p2uiRDSZu7DeFklmZwu//HSN4zrSmU3YPhg27NR1o/FEqksupQwTQgxvL7b5DB/5kn3Q/94gsDJ/z3wPdWTq54WxhzwQXhMLT9gumAlbsdNqoMjWlxVsup5osuJnJ0hAqKrKvwdAj0syYcuyDpLi1qRQpNUxElG+kBWJOKJmVcyr6itGMjnNGdDmfU7UkMjpx8TGcl7nhRR7Wrgm75doe+RlbVhPOx1ywjHBhJJEiPN3cyJ9Ynkvys1R5Fm2RodP7TkBM6XwqpGLXdCxv2BEZDnb22jv3kmtj1+Pe04HUDZ0SRtOZX2Wdxn6NSQjpamfjXzEp0SkTSCmOrR+HL6ZKlsUR2emgo6sZwzfDLrlj5JgrJXRsNxnZ4MQs7OmxDNTYG27itoKKpcU5tacwz+2565GMGfxDKiLHmqkbuz1IrtKS2UzanZKKGPqBaTJnVJeKze0DbtjwWPN0asJFmpcZIz8wavkArFWTOV0SmmtJVCns225epRO40WChyfduqW5IPbNMcswqfgyUbeGnPNee9hBJqhTCnhOJCLKwRetTbsjFjKmYe89oUTBLgXaxcFLDUoGzWwQIR40TKY2Qxu65X+wROcfpUisJyAkuGs6tPYi9Cr7EkgJxosiYUZNE5/f44hUIJe7mrC/I7Tgtim27FJ6yhFS0EXPfTDKPOmC7IGgQPkFq4ZrY+5WYmZLldEZ+K1lpx9dLbdhck5x/YOT/0MkH2iNvWcaRPgolU6Y1F1O/Ke5xXaYzy6Vfyqk2VM8IroNcArodyvAgApEjCoO4Up2OccnzLPF8ys3SPNFdZ/rOU908SWe3honMXs92qhrKJm7fcY88LTtBBtm1lWiEG8DIcAqpWHaMByeNIsJR/ghD2hNQKHnDM9azAokuWMonPCX4Ngg+XAfxzGEw4jRzZhRPLe0EYfR5cpAMyDM6zw72tnok52P4Gb/+9YDu7LLDyeFkdzDZHwyGY7q7t8f22P5edpi9SMeHO+l4OHieBhDtegzZGewM+oOd/mCf7OweDQdHwwH5j8FgMCDvrk7+FTA8oWVurgFHR2RCc81q28qKGZszRfNrntU3lbnteISN9XMQnlnON+FMIVfg2p2PZ3wCFwvcPnqrucXcSihqDlKfF8xpqqS2G6ENVZZNjktDRkghPBvBMbMHrL1Dh3TPInpSQ0Rz+Y9D0+8E/82KrQ9fdxCjLOdBfgXvLUBeGzMC3Il3EKBbXlZbnv13HQt00iiwzZjRt3ZQE4pP4S2HksWU3zAQR6lwr+HT7ucZy4tJmVveaDmAW2EY2Cwk+dHxacKFNlSkTjxtXDPaTgx3jSUSJyWRSkpiBVXAGcLYXBPBWIaK5WLG01l7qsCwUzm3k1m1KVr3+cTyD3+hwFLxpvFfyYlhguRsYgibF2bZ3sqJlLVdtBu1jl28Whb3bJ+/xOwEhOYLutREG/tvwK0V8fXMkyZuq9Oy8F0rpCUVakS4igNWq2eRxN1EY1Y9ApIJn9Q2vtqxJgHUNn9O05lV9doojsfxeHaMew2o/oe7EurIbsB0kAySQV+lO7F0qmuiaWmkkHNZanIJN/1HxNRjQWj1CgoH5Nnx5RYeTCd0OsBSKQQDQ8C5MEwJZsiFkkam0t/7z84vtoiSJdyGhWITfss0KUXG8J62t6+SuR3McjepyFwqRgQzC6k+EFkwRY1UVo71ujub0XxiX6DEijE5IzSbc8G1sSfzxsvMdqxMzlHApoY4cwQuYj6XokfSnFGVL6sbEHSXAK3MeboEfWHGQGSwC0xWloNEOR8HOfW+qzKXQRirbYW7EnAcQvNcpiAzO4ha2+TEyPB1IHi3i26gZ8eXr7dICYPny+rG0agTBdTjmTivrTsiveH+8OBFbcFSTangvwN7TNrXyOeICaB9XsdYjlidV9tJW5MnIDqruY4lGnKfuNPYgzfRmmC+Fh7+JqWlwZcvT6IzmOa8oSKeVN/coyMeuzftYfP0SLUjQG64PQtI+n6b3BF0sq8HDnU/xaZUZaATWJFfCt2Lnkd9YMzRjMqloDmZ5HJBFEutulyzSFydXLhR8WaqwGzBZr+wj0eQwQHUTARN0D5z+Z+vSUHTD8w801sJzIJGjMKxkNZUaC20ol1tUq/CKpC1mbZwOCXLY8koKjQFYBJyKecsqD2lRvXRMDUnG94EKtVGZTBRbOK5lQNFNBao8ei5n516jzs7ZkG9BfU+QoA7lhYsMfXbXE0Rw4+GCkdEfgJ7e5W6tAhxo1Z6NRcWvH+XAjcA1GxUnL2BumOwCr9CmtaQVrDC/erDifaWwWBPxPG2/TzBAgyHB0U1mmVEszkVhqfA+9mtcVIdu0V5vYdClOcIOsh2RpIbbpfLf2eVzcQulCnQ4DQ3JXXbcT4hS1mqMMeE5rknPn8jWG46lWrZs496oUQbnueECV0qJ4E6s7MVXDKmjSUPi1KLsAnP88DQaFEoWShODcuXD9CXaZYppvW6dCqgdjSOONpyEzr5J7CZ+ZhPS1nqfInUDO8EhrmwaNFyzsDcTnKuwRx5ftGz6jHes1IRai+WW6KlpZOEkP+sMBvkwUo6wnOg6MLD5Ol+lLgvRoiyupQpCDeREJmVaBLGq3GU8GJkQRklCNaoRzJWMJE5MR9ldCkqIMBS43askqKS/3EXONXJ0x0eW7KWhumPiPbR3qPdp/5aDZAf7A9otAuOM3cmHUkg62xv1eFeDTAk7DUoHY6H4/hJbc4pk0nKzfJ6TQaCEyuzd+7OK6sjMGdKrIEjheGCCXOdymwdMF0tZD9nxjB7kWSs7tQMs2/qbrhfH3/3EULtXsyaEPw6sryEydpAS2Vm5HjOFE9pB5ClMGp5zbVcF85PcApyfvkGkN6C8OT4TrDWRZoOpM5dPqGCZm1MAa//uGVgyuR1IXm4aOsOLCmm3JQZCh85NfChBcHmf5GNHNyh/ee7ycFw73B30CMbOTUbR2RvP9kf7L8YHpL/3mwB+bgMvmHQ1Ez1vXAR/YTqi0dPjziDDoqUckKmiooyp4qbZSwlLElqpRWQoSNp4MQLAcFchhTOFYqHKbPXn9MkJrmUyt2iPTAPzXglp1fXLYKXk2K21Nz+4b1wqedROgLhtTRRqAH4GDkaUeZw20+Z9KttG5XGUhsp+lna2ptCakPzdZ2yzQsYHtka1VqmvPLHoR/bgVwt9B/OqV/Juc7dElwrwSk4ZuSDkAthtRpK7FJgIqnIL+cXJFoTAdIG4fKGqiVZ8MzKNHA9ulONThr4s42/F3uDvcFD2KxiUy7FOhnYW5jhPv7V//vJXXCtiYM5mDoZ2N9LNmZt+rNy/u+VlPyo16rVt/mckd/B5jepEVwveCLPj18fR891Au8uqu1jNYVrmW7/UDIh9fUxV5EQ9hHC4MVHVhkeqK3j/CLoLf5eRfnp2fnFzZ6l9vOLm4Otuhw1p+k6zvOr45NuYBoGeiFN8JTOqRNE3/54Qp4P9nbAp4xhbSw7ImdWnZCpYYY8A1WY6x457I95JZhbWXcL3ZxONHJRUwtJfi2LgqmUavYvMmO3NGMpn9OcZHzKDfg5rBhlIYVwoTCmAx8ntgxEkFJoPnWBJWzKVEIuyxT82DfuQRdshP4ZhIGGEWfLYsY6uO9g0B8M+vtn8O9uf2e3tlOCmqRJGZ33Yzd1bF4pKjTaTs4v7KqcJQHDEF8fXwWzHHnGkmnibMyWK1fGQoI2KG9+rjk8w6UTWaKIURScEmJKckkzMqY5FSncgROu2ILmOVr+lCzt1djQe+2iC6nMw9Rer/poo3i3Lhxjw47/reADLV4P0AJrq77Atz9J59upw9Hak1VU0bv348LtQcwo4vnsfaQNUyy77tI2H09OtExpxqczpk00qccRzt2DhRQFyzzIuhx7JTXs/4+V5xflvWg4Z6Gy8srGRMrEPZekcr5h2ddG/EXTJY3Rk87VnDHD1Byk2kKxlGsrr4DYRNEqBnE3EDVajnOeEl1OJvw2jAjPPJsZUxxtb+Mj+EQi1XQrIVdqCWxRoqB1y60UiULWeEk0nxf5khj6odpXtKLlVBtguxg6iTKVkIaAMWjB8hxWf/XytIr12UhlUn7YaDPGCBs1qghoXyc1hEmA6IPKMCnt0f6tpDmf8GpL0UeOMWqRCJ/nnlRAXifsNmWFqULJ4LXKD9ki9wR8z5QUVBkemdhJCwJgHhznsv/vfkdpptJrQAEp7Z7YmVMqKhs7qdNVL8JAiC1tLWjMcrnoJvPuM1E/NzFuNxaLRcKoNsl86UZAwsCTQbXZiDzyCIQbZUZ1FRoKawXxI0xTSXMbuhzvJLocD2uHr1cj4go8VCickdfHaFVjbPTwzAlpGTzPwWHLFJcdYS52AatKgkYW17CML8D12GRiL6kbZmd1hOJW/4xdvTzd6qEyFTSpCu8Bacg6et4RB0zAkqynleiQJG0G2Zw3DBsF0dhdAjr4tjkjcMW7mGK1E6uxR/i+RjelZipZL8nE9jv02UqFnlA7OYZnzBl4COTkrmuRCvLy9PgCgjtxxadhqJhWNturY3PK8zUt7p1dAUzglZikDYDlnh0K8jfpk7AL3tTVhQDmKHpDeU7HeYeam4+ZMuSMC22YI7EabsDF+IcRIMy+fgrERa4t/LQdgumjiXF9PkoMnHHbRU6NFbM7CBXhXKNxNd4JnKwNxIzq2boowWEK+I6dB010SjGr37XisaljUIJQIcUyTohBTSUilXeauTjOEayCZ+jLhQ92daMgDKRSTHCvaF6bk4qsQ76CuMIOolpLOO8d0byIso7Nejyz3x/G0S5nVqNEEzxkS3DRXnTE0iiwtDYqlMybTtdHI9xjpSikOAFBwkze/wB2xnryUwPgzV83PvAxFfQa4g03emRDMZCixfTaDohJQvfgrIoOkyUCHoLD/Bd3x4ZhjijBMxZiCGAoUEDERNGQN1YtA+1iGHfsjQMQfUzuzICZkFdVZgLXcYg0FeTsZAc1KHvMJsykM6bB1xKNTrjRLumoAtIe0XquXC3piesQelsHwY2rSuGymRSbSxMCdYksjeYZi2ZqQoYwUeLSbfyCPOmI6lXnJ6qn9eGg1UCQV+Qm9wYcOyzXFagOYQ8JA0rBybG+623zqkIQzgX5VHFwBM9CjpxjXUuS8cmEqdj8Bt4wDplh9sK3DKdvmKDCECZuuJJiXrc7V7R1/PNlmJxnPR94AfRP3rz9GznPMIsNAgHLJhdtS+IHBwfPnz8/PDx88eJFJzrX6eJsI9SzP5pzqu/BZcBhwNHn4RJFyBY2M66LnC5jgSrWizGfvZ+xm1XVYyeh8pyb5XXbO/R4jDqaB70/3AduAadA3qIYWpCBZKpTSFycVYuDl7rPqDb9Yd3b5fMB1nf0zn0eyPmpv2OAhXqG1wSU94c7u3v7B88PXwzoOM3YZNAN8RqpO8AcZ+y0oY7cWvBlO/Hk0SB65XlulINyLxrNTjJnGS/rNkxXEOKLMFo3V8zCuo5y7eBehHd65Ph3e5lX33QkES77bpJVz7Bf/5fhjB4D6L1dde3Iz+qr72Zi8yV5+PpveLZSYOdnh1l5FMCEiV91XB6BLnSPULvQHpmmRWUOlQodpTSXKaOiLT8vdG1ZGECwpkW5+IFHZcI16H0m9JchSg+mz6+L84Ezrq1EX3I988/phsQI6fLVXe4tAVinAS5yv+U9wqZwUVup+UaTl3Q+zmiP/O3kgvzt5IzcVALAcVGQMzHlIhD+P17ZV+z3Lge76/jQoiDMvWb/diD33EpVKXpkQtWUGtYjOUzfPkT4/YrKi8zYteZTQa2iUdNiZMbIZe2Xu9WZqxnTrFkJoabFg14w5oKqJYYphUn16klYmC77EdV6LGXOqOgimh/wJzBw0AJUK46ZZw4WSz4u8qGtMRpVso/ohNER4FNLY2tMr7YHIDJJePHUToxmeawN0JGR25JkXQUDX4qFzKkoJ9TVLBkvLYZ8CYsbJjKpkmhMVmXiK5azG4rO8OPC8sbv31wSKfKOWK9UzhM7J0tuizQplLxdroxbQ025thSL4yzjLoGqTcFwDzBl0CXIHCjdOJ6Uua81MYUQY7UsjJwqWsx4SphSUukqRC8e9YbmPItDJqUiRpXa+PnIS0ZvGClFlCM08cE38Gr1ir+9qvHDsAur1oh0xtIPXSUNzt6+ffP2+t3rq7fvLq/OTq/fvnlztfIelVjWaE0hcJc4fE2cDWwlSANV0DlPlbQ0TE6kKmQt6fvjXkRG52s+x3aKxzzMMJ5U7rS69Fp/hF1BnKQ6u5Xe+rAzfPb3n/75y+Grw+N/rIxLS5JsFVzew8Y3L41UDK1O8bHoIHWSzuou9H/Y80GNj1W764jgexACi5WQfFJSD+xRVmIKQ9ac2xZR9aI44yUxUubaVR8BLwnUs2DpB7Q44ZluYfdhFw4c/M/Ea/f9iB4iEF7rN+UNUxg6QafUKrEBI/aNcNdbaSy2eXSyLlpD/kf40iqIqQQcEEYcSwiyTfzlPRm84cF6lqbLn2wVWItKPrnyMQ7IAAVxkZekKo9nqS8aJKrWF8lUM5YXkVMGzJcYaReG1s4wKpZWTjQ86FerSFbr9JtUi+dZ3czA53S6Vi0hVt9gspAvgwBZQsOyOlJ0gWbodE2QVZTl4KLThpc8qiF4//RRLcF7qgk2DUIwqyvMV5t3jdtRLboK/w4aL9LsulReHN1KtnSKzJ/rihBawj7WMIz4iD1x19ooRucxJzm1B/Gy+vojFeOiUfzJNvQDwyAfLjB9199Ngi1cqapqfGLBgRoA6YxFNphz0fVK/eEqODv4/aNHg/IGRf88wmUzFcdeYCXNa686n8tE5rmEaohzKgRTR2T0X9GCwZj43/3aV/ZvzUzjWwiJK2jK/nuUBGbIodKd8zVFlRHhwg1e5BmFWqbK37bKScSEah9JVeGRgcQQrUQn5JVUjRx/RyoYFTWRpchwwVyHsrIQcYf29ySV2+NcTrep6HNhQu3BvpF9M2P9YKanhvZx1j7uUh936Vf7toOxkNr8K+zxsSBn+LZmVKWz2h6kUmirHDdrr4xp+gHr1GU8ZRrFl2AcqJMKZADNdS3krPG+y5cipyVD4sBTdGNlTyl67XE1mVsJC0LfkEDsUOzWk6Zi2iju6y7UYks6aZ9pFw0QKhmO3o96ZLRt//ne/vP/2H827D//y/7zf9t//l/7DxmRZ0BWFZlseYhHvRGYvEZ/GSW+dLBmeGTqSIf6EUykmC5FK2XxDmKYljxj20z4gsM4zHYYZjstlWLCbDsM91PFqGF9wFIyM/P8L41faMH7BTWzfkEVnetfYxT+6wF3vjt8K3BcS1yGCnN9z4WyUVkC7FmJCvGZGXI0asgcKlZqJjTz6o1TWd4H+fB9JBd5JpW8F60KliMx5eI2oZA5Yve3UHLOzIyV8ImJDFIxR/HIzKRIZDUKBdDASbngIHIZrCoH32dYrXpmhVaHMaKZiUddsFB4BNnr+w0ovsHT9xsh6si/C08kZIRhCe7bkVMf4lFhxlDICgemmow6+OcoeS9+YEsJmkmDYOMhO66GVHHDFKd2kVaSt9co+s1HATace0Z1RO7xsDEBHr0XhHxPXtlDH1cXHvVH+MtrCakNKAoLMhwMIq690byH4z1eVRMK18djUfYxRpj49NcwfgLyJfwZNANX24QCp4Pzx8U0Rpa7cZL34pUV1e3ImtBcMZotvf+euaRXz3SxAiBdeuUTqal2ZLrueyEX3nbtxhgzbUhhkc1ThumcDp0JseDEQyJkEGPrVbU4OxQMVyP39ihxZe9CuW6rJEHVVKjVEo9rbxQo7RHevZt463dFnVbjMR3ZjsLWxEQLUkvFp++h1njIzyTcqurwyqaR1Xytq1Ds5rEg8oYpi0LgvcuC1RiRo5c49RpvoXyJpMuy2K21kcup3gDi28A6p3ojIT8zwm4LlmLNH3vB0ywjG0bZ87ARRoa39FKYGbP7ulFVQ6KKTEpTqg5HoJ1wNQU/quJTE8wbX98jmEePVoIlWj+agiDzxeTrdbsC9Fj0aBvTzJK6Cg+mt6r+EgYx1UpC9Vx+mpVEvDoHoTOu4A9SpN3QqMYy7SyL5Te2Y21RoamPlZjCe3gS+hkQZ/C/o4hSNAGIoxlksaAUqaHkflwwEisIuVHHvvwSGINEfcX6rgk9GurI9MclrhJWaz0AtBrG9mZX5/uo5/4CvHGJaggzhAtSdD/nsRBWiQn0AdNfZS2pWimslQpKhePt+iw8UkGpMCwUlnoqKPVUUOp/dkGp+GD6DGPXVKW5X1+qqlR8pTyVlnoqLfVUWuqptNRTaamn0lJPpaWeSks9lZZasbRULNd9HfWlIoieikx9BUWmeAGm4ohOPlJZidVKKhWK31jGe/rql62uokpw/QAT/6rqSkEhoyg2xq0UImYq3BhpN8ti4pRBoPnjr3AdlaIeoMx9uXJRtXNPvqKaUVlLz3wqHPVUOOqpcNRT4ainwlFPhaOeCkc9FY56NCCeCkc9CgE+FY56Khz1VDjqqXDUU+Goe3EWPLQ53qM+YunlS/h4fwrBKmnWYELP+VhRxZkm2VLQORpFPEIlzXxff5dZCJ4K9zMEJmKzzrgFueucJ8mGnlGo6lybZ8O1fw+Z9KCgeMF+7APpnUTPDI6nXbRk0I18EsGRh+Z7cooL6OdcfHDzLcmzUZLl+WjL9f/0Bh8pyM9cZHKhq/cvEdw3mDL6bJRo2fXeO8Fv+yCcttbegqUGxjLn464B5zR9c7l6uE89Fz/5hpLdG5A/5b6vL/e9ieqnVPivPhW+uWV/nsz4xsqeEuUfL1G+idqnvPk15c03EP2URn8HnqyCl8yz/TWd7len+zjFg+DRMzpcE0CXPx0PPw2inf2D9cG0s3/waVDtO5/iWqDaH+58ClQ6Y2wVb/knQXV5enZ28TCo1nQl10xmTnFoXlBVt+45LXRX4vWE5wxLlekP7cP8gSnB8t2dxGuVq9TOo2ZdtqEfyzxHiO0krbU3gD85eu+UtveXoHDt7rz/pAWxBFKeDEtD0bI1VDG4eEfiaYihaspMMBPaZbeWeHuw94BV2IuTiuWaFnAeOnHhNC0y6/m0wYxQA0/xnPWhpMijyo8FSyLA1r3aRmzpJyz2gsYBuB9fnB3+GvqVrX91bppPXNlBspu8OBgMkuHzveH+A5bI58U6TczHaFgOJVwKqYwrVX1xhieNHAvioCD9Pnjh4TESwUXsL84/6fWACRdTpgrFhStMCCkyN0wQOjFMEcUQYy4tzJextvJiH9ZZyWmKCh3UY42Z2zKFxP6s5zKKFujChgRBLM1gFK2KB1joMeOyLuMpgQ9TUyswMOGKsSUwCiw3YWaKUdNXzNUX2BkM97YHw22jsIBDf05zq9T0ETl9OyEXUygw0BHllh4cDnbTPfZiZ2do/8hSuv/iYJfSbPcgyyYPIBCp+JQLml/DYVijNySchM/hZpcXx+evr5Kzf549YIlOT1z3utw0n7O+jcCu398en3lLKfz9Jtg88QreuB8BwYgtUKHzRuzXl/DxHiO2a33gounthKevL8lvJYMDCOVJhF4wVR0E+7trf+C0RcbhLIYIUjBrimnOwlhLUiguwVw9ZQbW5YZ1gz4bZUJDTZojeH60RfD+XvpJ4tHBQ+vze9G15MzvJuRC4rQhZVhjYAGtBe04GFCnXTA0MuDehRB5GKcNJb462npIAmltxSvXkGrlklNwmET5x1S4NzBugqYzNxfR2KmTKGZKJSIP3xgNLrpZ/PYK+i9wYc+Gw0uVu+k3APGsmZu1npo6XpKzk8vKLPuWpVJlbizgxcBBYwvmvFoO/ugnF2Rh3zo7uXTDNxM47F5aGsMseojehLhkBr/U88Xtc56WybEhcy74vJz33JdhXL8oqJQT0RWW4BhZ4CCDubUMrqtggZ5VHMKQEI+VwsXJwUJlV0Q1KaTWfIwO+Azy9a38F1VH8FWpZESuLUCpJmmpjfRVo5rJsW7NaU7Xlr2M5Z8pxq+HDfEFvaoSTb6gNVznql3A+vx1J+hRC5S12DEB2ogFYgCfjwauHw5Gsf+IT0PCVwsmMu2DEaDAA3Alj5J4QL/21jU/HCT+/zqxsM60r6t6WJqluKgaeQN0UjAFAZARbs7B3AXmRjkhJ6+PX50RKHHiykrJ/MZKXxFz2tzUWCJkFLEYE+WyS+gBA5eoUkwX0qI4uCWiQeBcJuQ88CohjQ89a47p5B8y+q1kOiROj+z1wqKCANG2QBzmHaG3fmuMWSUI66749JBYA6kDN+DfsawbFgwY6NwFb9al6Szm7GwCjKmWdM91SlXGsoT8wpT0xUTmYBadOWc78tAKgeMKazhFR5JzN6GusU/F1azqUfGJPAZos27+YjRj6nqS0+n6nHc+ymGHuNRkyyZxZgIz10rQFyw1taovR+T4uEeuTnrk7WmPvD3ukePTHjk57ZHTNx3G5F833p5u9MjG22MfAHFXbdFH3Rq7JszViN1CVLvkHyd1FEpOFZ0j6aGpzUQUjPHaTGFpi3ggKG9X8KoqA7IF3aFB7wyH9S4IsujIHHz0xbtYBSnQy4cCFFafda6eD1xAwgTKpzWRlZA505pOWRIH8nIN8RkOd46BGe8ew2FQBAbMQBhJPOadOPr7u7O3/1nDUeCJX0xWUE46xHsC1Y6PigU11r3OGxGuwgZo8Y0XjMKNrmZCij6YMqwoGJfBfIYJArs7UH7FQkCGOwdbcby91LU3KiYeJ+hRTZhOaWHPFNWMDAc+sU6TZ+9PT0+3KgH8B5p+IDqneuYUut9KCaUtwshuqIRc0bHukZQqxemUOa3BVanMeVSEZcJYFo8ARSeVSwZ7b3rkvcK33gugP+b8hQ+7XcM+/+HJT08JT19TwlOgiy+c+cRrxgO3wvvSlVrM4htK0FksFt1If8rGQRb4lI3zsGycioC+jHrgtKT7JYvj4+N6XRqvql5/TuL4cctCl+fk/MIKcgw6fY1iy8aoYWLwP468pc/RDp9MeFrmYEAqNeuRMUtpqYP1+YYqzszSq0Yxpc6p0VYljGoBJ+Ts1kDt0QBfVGzOA2pmTDGsDyp0EiFnVMmsUEWYm2DNgrAuqBRqZmwOJSGioVEuwJfgd0Y1h0jmMOIN1yXN+e/MiStWwp3Ijg6lm79uREYTq+9UH4dNxcfLwV9CDfBzdZcSef0GAhhr0K3xUGzGpyJY730wVNZzGLYSKRBe/dpaylJFNaAj6z8EiU35DdP2odhv0IMv4lgyLJYdxs2EDqNMELamA2BVKCoAvDXf2fprQDTml8LXWiyYcut/Jgu0uuZLO4SWMtwoTlfDY7GVkGORQcvjVIpKbW2VBbWH6m4vhLfjWy3OMYMWfQeDb2i5ltb8O2cnH/PvvGKG9mMjtW+F4qzQq3d763ScRwE5iv1WcsUy6Cr0CFE6ZyeXwYsOF1jAL5bFNzIhI5bqxD00wlQ3D0bF/UAkAp5TaoNN68BlneeOhCJK+3nGBO4ZbGCqpI4kNV8Aut93xlHnuLAAQdhrzqczk3f1dY5WA+9HyRc5M9glcaqcx5pm/7ag+qIU6YzNaQP/pJYW00E6w2SQDGLKySc1ynn5I/kJjE8fIaDOJJeXXJS35OyWpSWquC+5+AB//IhFaZ6dvfxxCzryQHXtlYnsC8QL+U63tZghh0yLle54ocOD/uohQ+OlYddSra8P6g9Lw4hmv5XQ+UBO7gb8JTcmZ+RMZJyuHkhelNdrvI9OLt7V+gzfCfy5MGzlaDPg8FyK66xi9PdBHj1Wg85JRSwjC8sMglAT6sZYUDd1Rdzk3LIFapiGN8IB5SZuaKR8KEAGjgoriPmSaxP6AW2jLigElyKVXjlSkt1CJM4Kq57k1BhWeYLrhQs5RpHjcCwjLGfzkDuGIePLgq0OF5q3Ezrma467+kc93MpS1HGURfQDhm1D7MaEpow8O/7hfOuhy1inURR5cd1h2DwXq8K5Rm8pNFhClh8B6eZ9IJhMGLWMi2g+Wt0qh8xqgs/FqGvjtV4a3twY3A6xQ0nwUnqAqwt+ZZD1NR3zNYH68bPlMY6SwpvLh2J8jdePo477bqBVofziTO2BJ81FaD7WvYDDPcK94MKSVgFMsCjT6pNCoXwMVGuvw01t9ePPiXfS5biP0mwYEqzCglEzIyOWTxK/4uT70epHObyUzvgq6SIdTLJWFr8uhc14X/9Wusy6MR3znJsltGhXfFzGKHNwPHh7gcXLYpXA+QeBfjmjQkhB3PAkpXlausjgIKZ9MtDrDAOwxHfp6BFOlfP8PxTGNTo+WyDGBVxXh9AXYb6Wk8lqbc0eBVic7TPA1fz3VTD7kE4CLSBDgWo72cNhXePd2ALVDvVwCG+4MiXNr1dvmfIg+a4FpZuvXqbqUwD+9N3/BGgfuPtTe+V+qSsTJvujr0xc8QOvTPfSA0SMTz0oDmseWYGYHgzrmg90A86HHWko1nIdysqsCUwvYbpSNlW1HEgPgtAnrqPFrAy/YflkjRlRfniil/OxdIlD9hitqFEEA45SstYT/Sx8sXIBIiqiHAlXxAOcC0uIOQuH9x02x5zjccfnXHB+UTBouZQzMmEGu9V5Nw3UCkupRjOXisNq0TLPjWb5JCqOKnD0B2RIrKm0PyATA/IaQd4IYF1nytYAwd1V7DogcEGAHwEjKhLWsVgfSFg/zIamH66hI+CDz8MfVsLsCmtLpNBRz/eh5RoRZ2myyCFBg90GrgDO58aQMr3GYNrPaPb4uREJYb97cfQIFu0Aw1+cS4a1kSMNJpjF/01vaJJTMU1el3l+ISFq/Mw/HnOVG++C8lwlfPGRzuh4omstCl1OFJS+uDV3VCCqmmUDDRrF0xp3qLpn20cJtHFxHe10q9Fgo7Ui9LOrmhcjt6pCOl7KwKvA0ecbE4c6ctSElAYIiRHTagwS+hnLSbQIN54fivp6NpYgocQcsauH2tW9qPWji4DGyJNQdN6N6fOUIEgnLqvew5Z8fpBUCuGkxjEzC8bsTFF/Q1rvhIiTccENdoSxW5VLbdd27Hfi4+jGXuX+yEsF/fCgVUdO5ozqUoHhR4fOt23MRo+B/8PQDyzQcIzmmDwqHM/ZXEK6INN2GD9cVmHa9Z284YGLGTaHsOtSsYRcuj7hrqWzvfpGrpM/Zmk5d7I3C9X7hocjHGeOOUihq6ShpuF0XcmvmbZT6h+nmAU0IcSV+IAOHyruKiZGMnvcNglTuOP0NRG9Rc6NJRcggSpkYEaFx2tKDZtKiNPw44fNtQxjBAjp0yxzzcDtuenDuWHwlZWOXA/1bISR/j7evXZxQDxGpDm4zHO0QLKOoKBSM9UvqNYWmX3MEa1vxpQJc82z6zWXa5viSbGHyK/DxQWhQ1EqX1/JiyMjAC3hWRVdhTECrk25iyJ1HSax+W0ko3Foleu9Mzf1GlH1Fi3YvURCw6uZFUpSTwT1MrGmaqrqmqyGuAUMS6vUN5fIr9gkhy7EM0ZkaVLprzRqAkjyrmr4rjAToGFzU8dMkOsYVt9MZH718tIzozCiAzhlKmpaa8c9Pw2Zv1OGtcIqxgWPW47FtS6xU27lzK3vjqdU4THvQvRccSdfOqpZjstuYG1En4dFDcIQTleDRI9CVSqMcsmyKgUGexWHYavG+VGTJqyV0GglXSntUIW3Fm6FvcPdXkFlSqYsYTi0OD94FGs8ZkTOuTGs0f21o3/1UfXAqFpW34U+BhRHhI8Ign4RcV4UkWOX+hVdrwSoJAo9qSabcw0DfWSyTDINAbBhWxrzVriO5793Xs3F1E2rsBKYkO35Yw5st9dtQWx3GdlZrv0s13cNXYMFdDckbfd8fMwrvAUpDg/H+Wmbt/r9WlX99rfEem4+rCTo6HwiSwVhVic4p+8hiwUOMOqUh0iNmF1gHJ+L8nZ7YAfywJMZx+btcZmo5jVY6d7IajbGfErGJTQe2oAQnWpEznQ90jzi9rlhygmWjSmO3CU6Iksnl4cINgJFvl3kt3us2tfU8Btuli6pLJRIBfEQ7qTQxsnNaDdl5Cul+FqNNG60qMuxB6spYITxfYSjmxfiyoEbWAgLpgI2fg+tvnXoga0jPkmNpSzYmhCKF2GyHTVZu9I+YmB4vPv+vN65HMwNoYqE6yjPJxh6CsWEI8xFzb99FYNSsyCfZ0zXamU67V6TUkSdwHtEsSlVWR7vPgja8DSxKmNp/5CK2OWB8RdCDVGmlzdMgUAPRXz8lez1ba5rV5crVoIqZSev2DvYO6wjH4W9j/CCu+KyNt1pwEHq97p9ZxtUkYW/nVwjdGoJUkVVHBWjWEhYIJsDrWu8xADjghfQGP9Oms64VddS10Xsf0N7dUPnBbINauKvquaiDtYa/gBaFmLNgtsyhH40pfdzQeZW+9HclBgn2nMmdrOQJEzrDtqYdUSjopTtP6ZxfnetFpP3p6IilbEcEs1RB40DsV3qrnMiNASRmoYI2wKv4t0CexKKnWeEG8clGpDMpeBGViUvqiGsdCirHbMfvQvbSPKBsYKUBcqI8FJ8uOpYTal2VoI6Hq3gjicupXkv3tmG5NROS9gZDA/6g/3+zu7V4PBosH+0u5cc7j//pZ6QYO/mlmv08UscumkatRpEDSOYbgQZolgMy2p6UH/Bma5yObXodtcNNjqkae2eyeW056xyuZxu9eLJ44q/qE4uq9b+0Xm12kJUklbJuA3FOWw6FAKbA8+GMvZWUvNB3zC8VTFrc4NVLdSNmMuszCvSxz4vWOfelxjPpOlVcm48TMdlU9B0xpIIF2F7S7VKK+kOX2LjTS6K0lyHsAgqpKsN4U1tpYkfoPoVz3Pe+QwmnQGNDDsJ59RNXQsvJ5AeF6atUxLyKcS6PfP4mYkMDhAm5pkqEa5W6qOLF3lGA7OLzFtd7J7yVgcaJlapZnDXlVKB2rpNmhcJ0pu9OP33XqwKgNu7BvLo5Bgsc1nd+L5GL9RPVM/Is4KpGS20PXzagB+qKqkH8XiKLtxNZiDumGKuVmSRn0uhjbLLB+ss5CRYybFJ9MOd3b39g+eHLwZdfx3/cHJaW/o6XSrnp3Y13qoV270aMB/Svcn+YJDVIRNT1q7kvbpMchXuBKCLwFWpUvyGBY0uZcIomrsSK0aqloQBsoVv1QHCwKi6cGJZvEGXXlzIl6HEYeI4ZXUT51q2Rq9JU/EEc+aqqPti2ajr2/vaAhTd7+4u13TRaW48F87uZU8X2letGqZ1ObcSg5DErg20nV6QFNzd67O2ZkoKmctprV+KvWrkB58qy/VRDVfkfzUXV33jt3u00p29nwwHw19WDj34wJvM6CvTc31hg09SdNGOjsl2dqC+H6XpBoKKbV5siH+OQak5HjRmpduXncskylGD44Pl1nW9FVC3Bu3sTF5rQX6HYvu05HpGaM6U8YIMnIWaI6JhvnKGpknb8Fl1MMD8rxk2/tRY4QUgqFVJjC44MqMig0yQqxlbQhbZwqrKwkTHVDG7ZvALVV+imAEIUTKvVs1N1cR/xvICg2m0gS79Mwbmv1DjKZVztAERaiBjblrmVIXiU5XqqKxw1SHy5M0eUTWZam2CLM4SlV2DckCwlqak6BJGnfoACgryqrLAmrWOrKD9rFWRYWjUKPJyCpJA25JSZaxSOAnCS88oDx+DKAj371bPnxscedSoyVBTBSuvL3hc7PN3yZk1rHve/yC819H71vJudmuCjcBSrTBchUP2zlH5ncJBTC4hMAQrdNrn/MDPXF0yXeQcC4ByYzW02KhTUGX0lqXk+LB44b5HAMsTqYhi4OK/U023OgE8wVB+rLz/GIfGtZV9QiYWVjsjWKuXZdWxsvqFy5oHQIzi7MZr66Nr3P0R+GVKzaBpDvbdkzdMKZ45YqVRlrBPjPfg9kiRM6uBasbI6EdkV5BlsyyYHnk2PTqzoiVPEUbyljmxueMmu2QFGb4gg8OjnYOj4QB9pidnPx4N/v9/Ge7s/V+XLC3txuEngqWK51TQKVP43TBxjw4H7o9KyLWsTmPrfuz9rI0sCpb5F/C/WqV/HQ4S+79Dkmnz151kmOwkO7owfx3u7O58FyHjIYEazqH0VV+zVpH81FvWrW/kS3VkTEiXWBh4ON6dkbmZ+g2BAIJKe6Y8t/JbMC0VTPlKTOEmFQYsJvbOxoLG6OFpCXOvpXHVzFDQ9QV+odg2DR46L4dntXONfBOLPzZEAHtr+Z4p0T1X3eINxPTsFehslygd8Mo6FC0wAv3YXooiwO9FcoqFM+A6LGTpNVfyLKzN+WGwAiVKKmHQqnoPCqdujWD1qNrqVWGxoS1MsEOgZGFHj5idDmUZ8IqyfITmebzBK23rTZx77jY2ruvwY6mAniq0CFdN191xYESEar1Wztdapi6sBPfhDuHL1Lhw1UTDDl6hYNKIDbKU4WeF4N/ghDiystWoF18xVCyD8AY3DoeCosHVHHnvPlS7o5nQHZeqQ2uNxbgK0OtK3d68DEUsus4ZmtPhVKGg4gvtXC61s8G1re8v5TSyNs9RbKyJGFXlDK+ihixkpzTHoWeh5dY9BRrdYYEr+XKp51ZOnRlTZFtgUcfWXeXYhSp4P3Sjk2MY8Rn2F+lVDSz6bol9f131j0urRIrp1l3tVmrbqBjV60vVfAujk8VsGdem8OFkbSbVNjx3BOPY0QBvVg7iKQjljrVajDoCD1E+tXidMO7PIIL5MAJ4e1TnKW7IwD+ca8q9gngbVaBVV/9sWTX/sosPwV2NXtJkwcYE2ii60laiAU80pD29GRPcXTtW1rNMMCgz4W5ogBfYaG2fEUgkytE4lxCMoblhow6iuYJKXMCRqCClCE7+utj/Ub1fsboJcw3E5iYg796+JDkXH3yNr/sbQnq6bFKdHwWbvUJIG0/jELkQYouM4jjSmHtB6KnVko+MBEegHtqLWjG8XedSgDcTrtzgEQV8tnfFt9VABhEXvduGObb/MhiArXHl7eH6w7WOZMS7pMZJLmlnRPVbrj8QGAH0Q8Wl4lhmq8kIteNVRMscMih1VIfznWbOewZLA/+V8/WhLGBPbnIH7NdCqvkKBHbnIjZfgy2O/84yGPYjC+phvKVOKbiAwyIGlmaGg0GH/XJOuWu365qFL2UJ+173KLkbATkJFAbWEUC67kC0QyycPdIqSNSZFGEZiDVXpAekJGwP3PAR+DopK2DvQXldm5e+AAtmqt51pUMAe+NRKFWE8HvPG6ZFteIAeuAGpR/qZczZLU0NgRIzrhi9k4migIA4HMDDVvkwgyeoha0bFqn1D/Ba3YMpqKWLgcRhgvr5qV2Y9zlsfw7lyoOyEEaMy5pHRfPwKe9X8vEVsVLuuZNOnJOxLPzFHYWahp2AwGQ3K3c2hVQKzbWJ5W5HmbGpEUQBK2l19hZwMl5Yz5hZNEODpVEup4mG3xP/e5LKjI0Sz3z919X1Glvzq9QgTI52U7QElZpXGLnahCu2oHlkbjw/vdwK0ai1N4L47ciacKOJXIgwI1Zls/d7VW4tjJvKAgN8715uFKYUFty+RZ7XadpQtUoG8v1+QnRCftRT6EKcY19hRBHoM6ziUu5wFtpz+rsUa6wIeL+SWluSPRAV47A7HBaEhjaXaOFgrssiuWI08zKZu6w9oVcOn+iaxAPoiaOKZ401+jRlBVahCZP6IpdQKp/a4y8FqH7np27yjbNSyYJtH8+1YSqj842o7jYdjxW7QR3XP355tbGFKif56aej+bxiJpzm/qn+YP9oMNjYarDRdkbRV2alMjOuPjHmEcID6waoRijfhi7HfQx+3ICbvockhYGE0d1BKkG+FVAZxeTqHmHC7reOIiQdX80gwEBGhi9cFBTALZTdUhA6nVHH1xZtRqF/wdhFZ1eCiil1qinVKm1EPolwmqqDgLGhk5mXyCQwNy4gsv2GacOnfnV1C88KWoXAkHM3NPoFuOhnrDCz1uh4JTmnX2XsQX+2iHP+XOFSAYonKXKasjv1kzv0kurIf5Z+Ml92aCgwxfb+zvNhxrJxf7I/HvT3doaH/cPnk0F/j6Z7h88HdPdwwu7XXjw9TLjzqrn8vR/953vS946x0Wsj1wtaSLQcspBGp8nYykX16EyXjmZ/hWBVn4AFxahw4X7/f4ROuC7N34ldkcUQDjj4IPwO+Qw3/5mKbFuqarGkFmbWcz0Rgnl6vMQpz70Hiryq3Hy//nj+6l++N5+uctnsJctTprcSfNmlNjpjXyPfC6wkUO+aZYjNxnr8cYzCMJxF80E5YRj8+BmCyeZL6sIyiK9MCKKFH7rTgO8tvdVWaoyXhOaUYIFCY3NHvBU1WBxobYUAqj45iPcwX3z9hy9dASpgzzdULS1tFDk1lsYT8hNTGBcK/TjY7YyWGqzkuas2gHdLnVtbrhAsQTxOeHLVSW9YD1wGUM0665GMK5YaqZb2jkrVsjCxB5FBjVTWIzOeZUz0IP4Y/5UiX/Ych+yRheKmw0K9+euGf3ajRzbwaV/ZepUEjHo/fQw8/4hgck8z/e5e+rTeQd/JBa0IrId1uG9Abv/iYnq9tvZFm41eQyFclU9RPHJmwQ7LR4gE8fH5wECiGnlzKsoJTUN2Jq1M7DdMZFIlNT0wiCGK5ezGKXDHhZUdvn9zCQW1uwruzxM7J0tuizQB8+unonq9aZH3Gy1rCXMEQelG+aTEzgS5nE4t64ezJ6eKFjOe+sIWQbyMR4W8qkboglGlNn4+8pLRG0ZKUalE3NfYx1erV5z4Eo1fybZUk1K4pMD2jkER+Ot3r6/evru8Oju9fvvmzdWnblmJFSrX1DL/EoevOYkgvwX6eqnmwj6rC3ljZYbR+ZoPvZ3iMU8+jCeVO9rOFebPuxNNkuqgx+aahxz4s7//9M9fDl8dHv/jU1Fr6Xcl+eOeG2Hz0kjvWYrPUMe5wPaQERb/Uc9Qvus8ubaSvt2hnCNjBT8bJJlEqUk1mwZ0HqgZNsZLYqTMdeXIumH5EvN2UQtBBtC+hz/n7gKm8Zlo7r550RA65QbKiUV3sE/U9KnIkZDDsL/60odV1juct9kere3FR3jaA/HUlRH2MAkYpHlf+xtF1lWFXgjERmKrvV8XedMo6vmxZPRKrHWaA+bpYq2CbqkdfwutgGEYt4Eo/5YFWCNHczvVyBkuuD0rTJMRrCJyvLocMUz/w1blwTZtH+0Rza3m7YbzNhEPd9zwvIGvWmWOR68/DYO7QB7dCG0IADWJUme0DqIX2dcFpR8/Doh0SnkugXXF3WrjSjWZ4jdRKBl0CnXGs8ig1Vrh9kzO2TbNPebDSu1w1zjM5y62k7hPFShU2NH0ntXWzWvAmP1dV0lhwse1dAZhR1l3RcFUSrXrm10zQoNkkge3Vtz3dVWuxPJJ8udoRGFX8q03o7Br+CYbUgDg/5ObUuST5GttTGFh+5M0p4iW8tU3qIhg/dqbVESgfguNKiJwv6VmFTHY32jDimgJX3nTigjSr71xhQX1a21eEbdzWAG4/8kNLGovfmNNLGqwf0uNLGqAf8XNLGpwfrUNLWpQfhtNLbpB/nobW9Tg/WqbW9Sg/FYaXHQC/fU2uYjbPnyhq/VbbXRRe/EbaHZRg/crbngBcH7jTS/sGr7yxhdx71LDxDo1VfAQhVl6hN2meZl5p2POKPydyXvSnYNJGxzgMxr1hA4Da/LMhwIaqpLp71s9sHOHMWE2qA8lYmN2yOd7tjH9faMH1uwNHGGjI2utcPzXo2+6Nt/4heJzqyhDFBuEUf/t/HTrXkfL5nAwGNbdQVUM3LohjIMTOqFru0cs1SbzbH9N8L063ccp2pPqGR2uadbLn46H90y7s3+wvol39g/umXp/uIoC+IlT7w937pxaZ4ytiwgvL0/Pzi6iqVfgeVysrw7tuR27is73fA49chUr80G8zRO8s3+we7hbP8NzPmfr9L+8On91hqYt7xGNw2lQ+IxPNpHKiqIQZjOpqSeElFDf2kdpLxaLhFNBE6mm25htCBLI9pxlnPbB8BP/ndzOzDz/9fz49XEYUU4mPOU0RzPRv3rOzel9MAn52V4RHWUzufZBgOOc9WrZF1jJNZS5ipYeyrGvSErz9VHSK0tIMdq5IDI1NK+oi5quBjWbg4O9QYOEPjOKoiOIIkQ/UKiaBOEu9cO/RqPC68Zl4xzQoa9UJW740mYYquMCA1oo86JD83qXC7E2xy0G7tsJNkHmVLFh5J5bs6DmEcXKP6yx1I9lnsNa4piaXmMjg9TXEbBRk+yyKBDiYQEb23ftfcG+RBjCycW7egiCoWrKTOj+0R2GsHoMQgGpMQUV64q2AUeOgDKTME1LEOz5NA8Ic3Ie7z6GijXW9VmRqwVLIsDWvdro209c7AWtXJqrLM4Ov2a3YljdTd2F9MCVHSS7yYuDwSAZPt8b7j9giXxerFFp3jxGPdktyjm4oBAjuTjDk0aOBXFQkH4fWnfAY3H9YGJ/aVShjIr9YnwnZ5gvR+jEMIVlswvunAtSuZ4wqcwYlvKsuJmiQofAfI1VoHxxWV8oduHqs1Ix9QUeFA2B/QA9ZtfUo0uVE5SoqYloE64YW2IO3TiX020sSte3QoblTds7g+He9mC4DSlKXEz7Liqlj8jp2wm5mCZWemvrzIP04HCwm+6xFzs7Q/tHltL9Fwe7lGa7B1k2eQCBeGf3NRyGNQoY4SR8Dje7vDg+f32VnP3z7AFLdBHq616Xm+Zz1rcR2PX72+MzHzwIf78JlaYuMWVqVQQ83DjeYW2yg9hjDapJdALexHGPKCRAHzSXUs012bAfN9okPDzYPdyrAYrX9PWfRBi7QqEDxDHI1l7OIZm4URZhfToo7BsoYs+QCjOuIAXWQbLVor6Qrxqyt9dmiruaAaNXYIV7B1Y4VRUbilJXnl02THQo369iqLvdH7xIaA6n0/AbZG5rN327xKJoXheX8ezy+PVWgnoWKN4hwbMr04qWZoZFjKjIavkKsKXj0rhE76obCzm/8O40pnvk9PUliVdMyDMonszzLKUq01sYa8zmlOfVe23Efp8wrNSapHJlZw7gHtrOqQThXOfV4pHvUt+BAT87eQ10Y4GAZLoIhQG5rdW6jo9g+SM/8emMHGtdKipSRi6hOyk5Of40JJTCrC0+v0IAzEKenWxhk6Xm+t5dfgrwUbVxlq1zI0/jidw+nn7KPp789d1lj7z5q9/Pc5H2yJt3f7WyWVTfoEdOXv/1nj0PR+ez9j6XKc1bFageffP9NJ7fvNxqiU+WPCyn+Adni09ZiVRTKlyJkDWvJp5Kk2dvPuMwn4v0cxdL8+tS8HWJkF1rpjmxM9qlv/uEtTcI/VPWD52Br6W6BvF1feUgw9UJnYihfh/OFy7Oqx65BNHlokXSJzTnE6kEpw9aopDmGtTIFdZ0lwX3qtUpOt4aKNoOUjUopULzjCms8cez1nbtDHYG/cHz/vCADHaPhvtHuy/+YzA4GgwevCqsSr/OZWGZrxWWNHzRHxzCkoZHe4Ojnf1PWBJUXUuvP7DlNc2nltZnq1SN/KSQaj9+MEH4QsGYMw2Q2JFbS317+bB7IVpUWqqbdR0sK2TD+FH8BSMsz+0DqfupWhYJCMbstnD5cV39FHw8LSQIrk2xvzP8VEyw20IK9tCUhEZSEQ4RNjBjYMRubF9Idl9hVQf7+7vPPdZXLe7/Cav/TC0dSnJaHd1pStGu6oKmqLtz0xbvdwaup+WqMGumOM2vayHAj024rhMWTlVVGIUm1o6Ku29BqNscClemy6ifzCTu2QZ7X8yoK+HZIzyOhENToS+NJEHVyq0UYvWlkKoZhk5nFFLZVBu7+/s//vDDi5Pnp2c//Dh4cTh4cTrcOTk5fhi3CGnwa+eA55XePbGIjOuWhFz8iEv8zKrmheinDkjBq3sCbQi4IH+T5CUVU3ICJU1cZNgyIZeMBbvplJtZOQaT6VTmVEy3p3J7nMvx9lQOk+HetlbpNtZE2baIgX+SqfzLy93d5/2Xu/u7LfxjAEf/ofzZKfF/jOaqg+rqwWiuCsPrkmkuxzQPUp5gK7s+Gov8IzTTz1RMPfBfg2baKvHjTEDYiuQO1fTy6q+V6NojL/96SQX50SqdXKcyUl17Vn1JQFF93H3/arTS2so/aSl/tFp610GtbeFnr+wr0EEbC33YWv7M+qTz7q5XLIqyEO2kTk5pUd3u/ZCHOFaGh81V4vyb+3hPIc6/MenLTKZQkFypJbb2wlpntAoAgzIZFtaoF3+okFCvtgrC+JTJ8EpcRM0XPWfYfRRTyFg6AwGx6iVjITu/8NKeVM6PrPq6LIqch7o+q1SxTLlZrqvs2IlnhG3PphRGMVpv+YLVa5kw1+02/48Cz9VC9l2pk7QVZBlm39TdML9eWaqqFrImxL6u1XFzk7UBlsrMyDHI/LQBIIgn11zLdeH6xElA55dvANltweC4E6R1kaIDp3NnT6igjRJD/nh+BJQpk9dxZYE6Z5Ziyk2ZMdCkcmrgQ9vl9F9kI5di44j0n+8mB8O9w91Bj2zk1Gwckb39ZH+w/2J4SP677u5bo/C3+c7yEp8D1YhTogE1PV90Cut1ywmZKirKnNa6SpoZW1reyZBrRs70k7iReBRFwJVrcwpNGzT2Fp7kUiqnG/eCettucoTg5VUmI4qlPeBzeCPW00RI1XgLzChcWAVbzoGNR3y67dIfS22k6GdpbV8KqQ3N13WqNi9geGRfzSLNsBce3FqVPmic2ainHvV6C92axr7hO5SctkuBiaQiv5xfxIoMdnep6vYueMbyJV5YXveBeuTwZxt3L/YGeytbRhWbWmFjjczqLcxwH6/q//2kC6Y1cSsHTyez+nvJxqxOc93dJh7nynRNZ8jvrmNBTGS9IJGcH78+jp7rBNxdRNvHagpXLt3+oWRC6utjrthHunW1s5G8HBe+uFuSs2vAFCMnzllu1NFYBZ7RVRnpRoGzuMFKsrJ8lcl51S/40Tl1LAiE4HT4hAuGPkVz5tobxQ0kax3fBHl5enxhz/kx9qGsKuAh/Lij9RtobdEyzh7K6+a5alHYi9xV3t4O9cK/1PUY4xwASr6r5yvF9PmT/3yPomHpE/MvkTwrioy6H3Gz4No9F2yScRckvDkbQZvYj9hbJ5U3vNlRmKvPT16d7vcg6WyLYB0O5q7+hBxnmQdqEkrxY+CpG2K8hH65KqXah9zXQcSbnXqLqWtsDr3LNCuogppkbmRav6WeaUE/YFsH1ztaz+ju9f5wZysssEr0rO4zzUyo7dteNDwc1aItoTfCTVBjKVEQFGvlGSag5RWGAZIzECX6QetzA3oe+G+668J9EQOB+0Kbi6xK3kIQoRRo8DounepInpkcLe8F6xHFfGfYfLn1AKXuS6dEfvlsyD8mEfKPyYH8StIfA4uTrhyxZ3H+871NTaCDSLOpiesw7M4hNJUX2lARdVY7O7mEd5PvPSe6sytzuwkITAp9Xt0x8zJJo92rVCi6VkEAc0Z1qbDQVNQo1a7VhTPWk4hmVGULqlgvFM6YY3lQ3SOnMv2AURGGcgEqjT3g/6ccMyUYtMGQWai6tsr5vjut6FGEvjeNNr+1+bpKml4f1GOb06JMSk2nq1zB0KIyu7678eUFU1YVhEQn4Om4SxBxEnpJOj9p1cnRPg0NKWsaCzfI3V07P+yGGYlFlynN7bon1Eo/FkO1VpmR1HQEHygxCwnzAK31Yq9rRafQTuKGKTr1gkOlHrvXdS80OBwApMOgNGmE6TqGaVXVKeP6Q6IYzZI4y/ZTXe5GmspB7TN3ybMpLadsC3qi+I7ck9Iq1M/odKrYtNZsFvBO8xxA01uuTHWoreD6iqcyzx9YNguWil1Y1r9WO49h4o9c7pfTK1ADkJOIPXpu7pWLuzSLqiQ0now0PhJ2kM1NfZfOEUaUirxm5ofzN5c1bQRmwnKP7bEroKOZwoig7fhG8R2Vpt+8vnpz+WbVrZgymXxFZnQA589iSq8v5is1pyOQX51JPQbrKzGrW5C+etO6BfLJvP51mtft3jyZ2B/dxG7R+jWa2SO4vg5TuwXoz29uryv7a8L85k9u7FhKiw7VuXEKXpXzp8nCt48fechGYN+zZ0UxUyqhvX0YZFSnhX/EdP0463F2a5SN4y5AxzrgEdVWQ2i+oEtNSnilB+1rXff74H6YMyq4mE5K6D6MPfXFDVcSSiBFw5/5LXcR8Apjwp22ORozauA+GzWxUHwEC+GBeilzWF/RTKIMtkearotYyKvjk3jagAG7cCGNK7yM9aaAUb798YQ8H+ztWLTrcjqFgqNH5IymMyJTwwx55noR9chhf8yrbGir721hSzcn2Torw0KSX0NU9L/IjN3SjKV8TnPs5KXJlN94WzjsaaXIIJ3jxBQ6MpUCWvDZi9GwKVMJuUSVkt+4B9Fd5Wzlrv1kGHG2LGas4/Lc/HVjMOgPBv39M/h3t7+zu9EjrS/3fCvSu/0mj7N9r+895xBf5dJ64YRHpzs61e8Ev3UmKS+3gOL9W0lzKB8Vxoz0RLDuUZSAnOm+sheV2qIc0gmscKeI3coMmq5YVbe+fUba5xuHyDVDTtgUCvs+hunhLqMDuIRkCRZNmuehDzP3nRB0RL0VC3w0k0NjqQVNP7CV6vyutlg33le3XC7Wt7WKpQxC/fyiv5K1rntvw7r/oPVKnUzonOfrCgd/c0lwfPLMy2yKZTNqeiRjY05Fj0wUY2Od9cgCDWTtAhX4ZAvuMs8fD+o/rGBIy8eAvLpevS1UkXJWpm4jGE0tvl/Jf9Ob1i5/YEqwR8TX/WvA2QLYoOIpunB111uQ7yV7yaA/HO70nae5Cf3jWiG+tr2OKys6lN21uf9sYsZHfXypnfXzufOcMmGk7pFyXApT3neGqVrw1hleYx2czXcaOeTIzTNyFghoPGvYVCr+Oz4hm4vkwshKWK0U0LGSNAM1iymopAq8jTdKI/nHNSMTmedyYUd2Sk29OCp55mNG2NYRybkob3tWbwCMCn5b5TEuWv0kzxGkN5dWI9rchGL96LMDA41Tr1ysRc7RJ8fqfYXtE+OKjIMbOSEXOaMaykCSUoOhxt4/smC+AQGkZeJUZyeXPYvVQslCaka4iexkrkl6WzKHZT7gmlpvvb4Wna/KuoaDZLiXDGvQtqn6cXSHK9c0q6E3/CgVOcllmQVPjncyYRYFuPFdj06oIpTzD4yMzE4yZxkv56PEEtPNvKK2thsp+Ox72HMi+LV8/b04e6NS2MOIXYp7XX8oixUr694laF2yVIpMV0LSjGoyZkwQjEyrb9vuzn59eqsA/VExilASa50hirA6KPm0psW9syuo1ZRK2gBYie2RkzX/sKvcLnhTg97tJbYJoTeU53TcUWf2OB8zZcgZF9qwxj0IuMEAyj9vkGy0yK86XjaC80uHzjaAWGf9Vocp4DsQpAkOFOVCL2NePgGjETIoQaiQYjnnv8eBHYDC8PGdZmConZARrIJnI0sp+MGbqdHAlUoxwb2ieW1OKH1HhZCRFdJVk+8gqrXYsNuk5HYLpmwD8Xjmwj+Mo13OpPJVTBXJ5bQKG6kWXaunbllaGxVK5msrt3gMrbDkBAkSZvLeYfACOXij1IS6LfgDH1NBr2k252KjRzYUK6SyYt+1HdDbgD8e+WlMLfnip6urC/h8d+Tnjz6kPeTF2pcItRwUSpgEdaVUuVdVNIPMDG0iWrLboXK/UsV+K5l+QBqGf2Ess+WnWPI+2kvvMi4Z2wCTwKzNfTk8fH43iK45wp9AYrhyZnrc+Hsx8hPLc0kWUuVZN2bWsG9XEOen79u9ZxZY4M7YBbdDzR/u7XZv5tou/c1j5zxs3vvQF6+G69oll8up9qGmYS/TnDNhMO9AQ+1HqGoOlcSpbxQXnrY7yrMqhwJVJIztIEKKvjZUZFRlCAYirXJej/7Zf4uQ9c9PR2FUe1v+s3/iAOVS2F87Cinv7LK9/YPnfXb4Ytwf7mS7fbq3f9Df2zk4GO4Nn+89IDrWb9KcmZlc20bV9gKnipB5obgV1iQEug+Tg2TgmuZ4C8q05BkUZF1QHUprH1UDbFwF8wbGHc9Le75YHB1tZMjSwciU30qmllav36h5qeWkAgPtJmF2CAcqFEvRCclSWjrOHfqHw+iN+GZcr6eV0klJIFHNab4kGTPOdE/Im9pAEPkytiq8yGohtVwAkDvJIBm0yONvZ1c9cvHm0v77zv4jL6+693zNPZE2X3FX+ThY0SwXad5f0aEKgeOwgVDquJbjMKYaHSbeMBE1vozZai/i28Y/PzrBF/pXYBJ07bzJiZwXVHlz+zwGmYZBF9xUnQui2TY3NYmHdaN6+8uM5YXbbbfLMI1i1GgSsskImXMNIvEUuug5VtQ++HxOp2x7yleu9u9xrNiEKbW2MiVv3fBVxFd84Fs3hS//Nc7lNC5Zut2AXRdSaPbF5RWcdlWBJQbyzyux3IeTu0UWj5svLbM4aD9NaHFA/9HM0YHxeNwx2sJHZI9u1A7+iL98CoOsccMwqhPKHoUrOuRqQ02pO0I9P7+ZdP3c4ETdEZ97g3ri2Hq9HQDXXZ7GIXgzQmycD0SI9d3z2pf3FxwIA8RFB3yhVsVSqazADNEW2JgA/6zPS2r2Ieg3gqq7iwMTRI6RNFwu94QrtqB53iNKltDJLJfUHo7cCnFqK4xaHZPbcEzCWDMqMnCp0RCYkUohgqB27l5Hec+NSYnmYppHw1QoQOD8WJoJLRWEfhBdUEHsirbwTMdw+GiUDlR05ICubgugOafrstQEEsFZMPCj2rHKDtvriIz3u1eJupY0575PI6bwAyo5VKPuEVka94ci2fx3MF+lYFb0YAg67/LfuRdX5RprU2MrfJ2fNpFVI+8KW5evX120zgkh56cdN9zKquAajd7n8V6wuymi3VPSzD4Cf1WtahrzqZfu4z0J2aetXGkwHtobK5fTKdxELJ1RwfXc2UXhSzAJWOijgnZgVKjysy2jq3broznarencuJ5XplZhgDyfbStg+/kjg2fdT6OXOpfTMNGYRVcXFJ8gIwsuPpZ8P6otxL9VtXaVzoELGeNalsoe7doKrRhhF8GyePzvR17QGJeGKOq8xWSEMH8P7gEunBvZKrSIvgdkgUPnqcftH9XohdXssGkRC12JQM9BnKSWqCdKzhvBW+Fg3teCk6zSerM64pGZmyyoFpubBtOOMc02wNcjmYR98dQXpeK0ZajtG6q2czndnpQCGpXpxB+oFThH3HzvUcMegjnEriokgfltqFeVDLhxFBo7BLzRSDsEuaEUaEylVSTYDVOQxWUadfDhNhauwMpUQtUDJG8YBCMo4Hy4eTPJcFfwAC3t25XAvZQlWIKK0sSnKpxpy308MASaNKPgcIlH2v+0FSfsyznzO4msZ7SgSox6ZMSUsv/h8E8lO9C8w6rIlHIWiYilTps2g0dL8YmzXnAid6PbO8/1nEZZy9fuL3UJzCY+WPEoaU61j1rnghvuLX9hBpARnOZBSVpqI+fdAZVSTX0TLGzfmIylNNooWiQ/+L9qyEITIDQYTXLezIzqZEgu3+EuDNlRovhhEzeNplx4lcyRHQSH4uKdNTI2GDaOTGO1ezt3LmWdSaBNMnis1YXvuyoj+fC4UPwspQX2DI6YO+ZDgMcgNfheNVn3K3ZcYAvhSuo4Y4F0kn/TG9qJ9FKk7czgR20QUkO5m84eDGenbmL5I7TDfYHq+kLow+6DpmQWrOxW3FdsLm9AoifC6mpz+m+pQpieYhCw6PhEfa8g5algSrMMRU0ve3ggR00Di+f48cUzZxoyySA4wWfh+dSb2hO1VjyE6CLnBmv6GFIWdgFg0StyRgqqTC2oE9N/FEVvFVhk3LDeJ4w7EycKUWFJA3pRZDBipYtWp8KN0osPQW0ZfrG91oISl5kUxoRGujS3AseSaHvxYNv61GlnFIsvY5whE6kEUUgqItgCGJrG3WT185QzKiyCGiA3N6d2gKE3C8tgV6qmLHD/ZVzTcc4yoqXFfErhPh4z8PnEOVJjH3oNZjV3MyhmFGeh+PToGnlQx3G+ZAUZviCDw6Odg6PhABPDIQDx1ZJU8tPKXWRCtSu47FdgARLqrN910J3MMGeGQrp7LBG5DPdIkkQZZM5NzFlvOHXDhMBgzRh5++OJJvt7O3t2a3eHB3tJB/zJhKY852aZrMPAthmt0DV1IX7ClpDYDNEL6ztOU6lQXJfRqixN2WXdUcyICn93VxWLwpD23Z3dNrHs7N6LozVetBGmrLzbRzvxyshqrAOI/HnXWgrFpVqtv8TDtrqxzX6eNkF/4hazakiuySH5vkLOfwSRO6nzotCjyL6vgO8Tdluw1MX4BBbtqKdR2urFsMOvv7vfhdYAwMOP0UdPTFA1Vj4xNQXUSWfQewq6l0cMI9a5qiKezYkrTgNYappwz08vt3qxemX1oxbw7mROpUW8u+H9j6PkXtCttgbXidfWLLDacJGaSCm0Wpu9HWSB6lNewZ3KAi1YDQ2tE5TWlnfyhLDh6xa+/2hiCBPWk4xXIgKw2t9BAZF2/gdufgRFa9/PnLLdSD6NLZivo68+Ujk3pI7Wakuie2M+L4UTz9COJW+YcqIkrQpZEhTScJy4NqSuGQd9kuynVKL0o/vARzdss76MlWlvqiSRlbwZlblgXcflGNWmKb9hAlubxLM6g1KhpJGpzJ0u4i0NasyNoopHhEO1q3ngIibEVKPMPOepkpqpG55CQcTSYM0cO9kSFYPqYf1hWUS2JZ7+1rM3FxtL+aFHzMLKcsoBs6hln3FBNDelk9oXYGjCHESRRXEp0KIdYKn6sthbKAuRbNifJSjq2xnThpxfYM923QO/lu7FsS4LrlhoZBPdqZ8RwQVN5bDkXVoGX1GlhqHXjmyce1+SZU5nJ5cb7YNJ+bxGWh2xCy1V9iFxC5sYuIABCyBxQ+gM7MhY2nMDGRWNcMPzCRkhgjGYYgRCxMgi2yrpXIrwvXLFlXpk5A+r+wlFFV7thC7nHTfSwWENAY6DmOX1OuM4IRNBToJ3QUBVML84cn7hCkIjNVFNFizPHZML6/HHryqzVed/URtQYqTM+3QqpDb25vPRmkb6WNLqrE7yevrlS0aVIHMr8FHT1cvQEkjOpzOzHZDX5xkUze4Q+o5mb/5Dv9776T9e/W3/1X9uH87O1T8vfkv3fvn774O/1rYikMYaTLIbp35wf/t7dm0UnUx4mrwXb33nR5aRSts+ei/I+4Cc9+R779N/Lwj53jn18W8uxrIUGX6QpYk+gTNT0Ny9dOs/xSOT70kpgLjfi/fi5xkTZE6Lwh5muDG094HYW81pOXMpuJHKl2Rkt6YXD9nhHKlYGpTM1AQq8Fms3HC26Lka7sFqoMn7Db/gjXhoqcj7Dbf6jeReeD2qpSIFU3zODFMt+OOx/VLuh78GeHNbw0Q1fHQuDrdpo0feb4RNg09h0zbcav22RYhI3ovKDFt7xdlx7H0HswaICExBFWeuTDTXaK6NIYVev1ibryHleE3LLCRsoQa5wsV7hEkStA7by7U2LIJZrSRMXpvRHYqOuXztqnhQP5o37EVAXFX5tlF2bRQobL89v7zQRKp4yH9cvA5Xc8j9TTba1lnAZY2NTKRaUJWx7Ppzql+dX/h0T3RXRsb66CdnTi2UvG0HDg5f7CTDZJjUvQ+cCrrernpQOu7CXxavUZF/5hn5YrFILAyJVNNtlNOsyKC3/fXSR+DaXyS3MzPPtyqd49JdKyC+5K5JoX9Lu82nOZ8Kd6GBAPyamR9zucBMBPjLpQ6FcSGBAUV4H4HetaZ2a+s6ooVYCcV3Gxlfh5I5gqk49oFmmbuBXREAS/leHLnJqXAPx0bg6mxB6Jhgam7p7B8vj18jhf3W56L/G35hKEZMcE1cabKEHOdWPIzSExEe72a30yYc7cXwt/PHA+wRTI3QBitLVLKrhUMzkbk4EOABsGnBrn842EmGvxEmUlroMncSttUYGsFfDXX3F8Y+9MjPXDE9o+pDshUQ/rG4JLuAxK1uTScGcN6OTqpFqrVO98qBR9EK1mjxeOPUd1zMXXFIdy7ngdFi684gRkUUC3NgAxlIF3SqQ1Xn1h+65nL+BmkNP/MJr4HdWfTqPoWnS7nxla4+Rb1x73YoONUvHSqO/7HShZ2y063k7NRDbj1LXoNcvfnyuWeTlX6CnIfdJqA99EgO7PrfNLVae4juCtaEr09LDlmwIRnBQ70OFF66sxoqtFUSAlpIoLQCzSLp9f/gPPExDLUnKwzndGlv/jIresSkRY/w4uagz9N50SPMpMnW14d5kzYQv6aCMy6++c3lOXklM5ajgrGIC8N4sn5psZhY3O0hBiOLVKFZ2iMFnwNCvz50WqBr+PyW79E/ww0aokjcKPC0s4i/ib+7r9NSFDTdbLcEln4aqi32LLWUaOeXqsOQnDFQsXwkLiap9Pz4GFCG0bkfHbFfF+OdCcDec1jEUdcbZIciTCFSzTdYwkEhJRVKdLilguYZKh+1MmiMJKoUqyOAaDkxdrrEV1duNnzyHhrdIws2BiUPVHYujCohNiektm4XCtYL4/rqtV4ermwc3/kTbAVkN2wMUjQjRDTkUoMC0BraYvX44lVIGvquYjuBPiMfBsU82ztcGO7e8EkLfEKoCDlUgHVcpw50oX2sNtKGroT/e/ANq3CjYjiW4mlCXrnYot9KVuLA5OzqJfQLkwJIyJs7CyWhbHJlXwrDhPaCiqHRRUKspZXMPD60yyp+gN+Fxbkpn6ZC+jPtKuqSmUSdrcpzAU9HlMyB6rpFAxRfCmzfcj/ceCgIHw8BIUZWlZ8sfZKRt2oScokpO1TNa+a26jpxno6m/tZI3vGeMEjhsVp5M4WHRIUF4yqEDpBVmbyrPBwQkjyl8jxYOWvh8E+f29Na8beZ7NNa0LcsrsVL+Malttai2r1BHs/84biwbw/iXRLBHnfP6u7iwZD2VLkbqWIQLVm/K1wD3nPnweiRM2fWr+6g01e/9MhPb3vkJZvaJ6wS2UToRTnOeXqNwzCzKmKfOqw9dVh76rD21GHtqcPaU4e1pw5rTx3WnjqsrVbvpNFgrS7nVh7IR7RkeH1/7aaMYFj4Vm0ZvtXOkzHjc+qStJD4p7dmtJf8rZsz/Iq+ZXtGbQ1/GoOGX9UXtGhwkcp5HGH0aRaNqlILxVEbt4XjVi1rBlgxwqAfsWacvvplZUx+WrRhFU1YlfjrvsXX1Haz1nGzDUHA1FMHzgZtPGIHzsfTi0+qqh/37qVPFIAHYXtcBkycAhTerCX8+KKGUUBvJTZMqlDB4M0MHkaKCfUsr0rlYZa/VFMq+O9NlfB8QoSMC5lAUDVjGcvink8Orvz/Y+9tm9u4kUXh78+vQGmrruxcckTqzZarUufSkhyrVpYUUU72JDpFgTMgidVwwAAYScyt+9+fQjeAwXAomSI5jp1VtjYRyRmgu9FodDf6hQ00YeOJnmPItXsQo9v9qbQQLz0C7Q/fWt+4lx6BLz0CX3oEvvQItP+89Aj8jnoETqRI8niNVcIrzj07wyNKzgyIatt2i/BVCJjkNK03Bcc5y+xk1hVWVudr66U4KtfdLkypEcNbC4i+AwvM6O9lFV+ijmX4mbnrFZfaU4w0nTAVzavM55Kv5E2xe2+cIghl+hIF/5nAf0Apgz9EmjIo5oceO/NXEeA2p8JAyWFV1JYO0rvXSdRfYODFGK47HdNMz7i85+7ftYDmWS04O4taZfGIKQ0JFPCuizSd/f6L3Z1sGGCQwiQZGuAuU8v30SzN6mTcmGZ0iPGcsSb5xJ3xi5U/4L165V/n4sSLvD4zG8OXpqVSTolTT2iYnuwX/K7dZ5q2F5XmcZorPbexWi1N+Nx0zwUvl7V11Lw8dcAZwjtSWxZZBeZ6ueQqNEWWIy5c7k4KT3EdCw/jG9UH92XBt5A0RG8hFzmlcdWEus37rIkawMKqSWC413WWBlMQOhhgCSrrJ8RSLq8GQqJd09Qso5muSj4Ccdc6n8zRzm0l1EVxdpLva+1gN58VTVgNsRChYfYMU7o5EUkzTuL7hdVLj0+N9ohr8Lw4Ljb7e1EkaoQ9PC3djkcNC1NbzbaRGdNMNUgmxjQBR0Uq8mQg8iyR0yrHFa88jd+j28wf5DPff6GSUjiOSw9gmTRyAjRDNJ7ChqW+vFEsxhOaOU+ZkDZqpaRVzkR6hKWVlO+SMWLpBIpOUSlphkrBgKeGqDAO9IR0jkGoLQnGVwYPOueiB6PA5zl11f+CRr1lF+fsobA+cP46907IW85FV5iwJbb19ma3OG2ebrZy7qrn+8qD89l01puxuJr5XXqCX9zAMzR63A38HfuA/y4SYs0O4O/Y+/vi+n1x/S6U8/yt+33Dyhp0yMJT/iL46snDvdANHz/bQRdUmqZY9xxTd92sDr4TXVR+Bzk6234fh3KvFbGgKIiCA0bxP8NRIerYD20BwTFtFm0xFrZrl0GIM1nU0SXjEdcs1rmsSzjYNSlNVVndh7f7vf1y3YB+ztOkZi/cZsfumbmrBmLIQDHrg/FsUWxnxxX+m6B9lC8pZaQZ16T7sYM5AxmmsDOoS+eGmFM/crA7eMPeHiTJfrvfOnj7tt/eZqzVavUP3h7s77/df/Om3YqTRTd4PGLxrcrrOsMO7fAVYjkMwT65Y9I3OahW1Xrb39k+SOjB24MdtrPbOjiI3yRvabIX9w/ig93y5UoweU0YHZVzPaD8WlkKeMjPJyzzZZulGEo6hluPlGbDHHyNwrKUgnDXLclSTvsp22KDAY95ka9OimoBZTsSydlTsajtPD/JEliabEhG4j5EGNoa+BW1+Xu5YrIJCSYNMkxFn6YVuuDX8xBhi9jFCdVz1bsrI/ighNhc+MqUS3nMMlWbDnSKw9t2bYUnNITMbfZAThjViRolQWp7JgBNUZPAEUPTXoox6V4c/Yu46U650lhuONAtlOL9lBUV+NQkeYDqe3ZItfW6Kmc6ExqPmB94O2rVaBHMPSKCKQrOEWUFvL7OdBdUj4LCzW7deIWhwi5vuZJbwPpbhyxNqdwaiq121N6ODmZ7b0OF9trc8B/F2ICMvi0/WXjx4TUY0FO5KlQSXnS4ebxJha/KK4wsM8y06HljFJsFsH5WAwvHMaV21dVzZHt7p/3VjCDncK7qAhDKaO0Ap2+GLIbdD6cT1nA9HfWIlh/Bq6riYgE8Eb6MzDsiJ+MGSSa3wwbpS3bfIJn5YsjGDZLl8PW/qazueTlZ+N6lXk3MLWh5lrCP8nZ0ECr/Zb3/mHyELtjLaP6/or1HLoTUhvXJ8QOLc/zz1cXxa9/u55tSqw8vPpemIZrKIdPe+QtN0ypq9v7uwlpiyfleSwpIBumaME0pzgGbbdoavAmhGp7iKYM+mlVHDRT4FwNNDoWcCFkuNvUFNOvXHj2qSVWNfCamFzTMq/4CZmbsms0nj9qMffRMtPajnehgv9WK2m9223uL4sfHkxFVtbWpLSrogxEzhkL5WAL/4ti2NOxkDgrSbELrXXiMBHAR84uNFndhBwOeDZmcSJ5p0ucZlOWGa2VCB5pJaORuyIW2qJC2nW8sEtYMG8MSWw/Uma0Km8mJOM6lNNo5KqFYYjAewc0XFNnXknqzF6BHj9kXK/Lf399HAy4ZmzIoy99PxXBLjySjuikZtvXc2m61d7da7S0taXzLs2FzTFOjdzSROE0zIc+G0UiP0+qB1Ir337Z24l12sL3dNn8kMd072N+hNNnZT5LBotzhOvD1YBvUncxmCLmKBOtedE7OrqLjfx0vil+9IY8eqXlxj89EbsPL5+uHzrE7beHv2Uu5jaexD3CPXW6xUwCCr56+kF7I8+emmH+dbLazv1KGlqbQMMDWhSuNh/133HCEJ1sBKwb9pX13SLh5vHHTT3hyQ8RAs4woTafK+ZhxKsK1YumA0MyvrsFqwlHMmAfR7nZtDOAaC8Et/MSL6TPDunKINztS0qkt4w5EonIINUhVwyAttfezQ1xRX4k018x1EC9E4YgR5hW3QJR9olMjfPG+HykzkcJoTZCqzTW/KyWEz826Ajuvz7MtpUYbDbLRTM2/c8Wk+W+7FZn/tfdn064M3XpQ6uF5BtCMZ4FlQ+2PIscbZmwIaJjOb+pZHDouc8qVe7VdMQzG5lM/j2+ZJjSj6VRxRURGRuLeDzk26plfE3Jv7GO/+bXANQq2DPkEp4Z/YYz0D1qecuteQoVB5WrCYy5y5ftYVZfgGWprwnqKDzMKfmb2wNUXi2/3hUgZzebR/j3+FLYo5gNCiZ8hrJdf4Rstc7a5JOTmL54Na+wRZCRN4Fpy2omZuMRo1Rw+96hr7IM7Myi8OaZZPqBgl2BmY+F9wIDpsPUjK7rQSpayO9sZpDOZpIz8cN6FoglVlojFODJzsuhhEkcQ1r0sqTXVeX3y7UtXDDGTGn3hjCAo80nutnEqsFNDLKcTLYaSTkY8xmbzqhCU4ah3NOVJWH7I2IgyV9rNZ/S9O0byrKjXapvZuleLV1wcajG+H/aeKpJncL/Akjkt+i4vzy97n8+uLj93r46Pepfn51fLLlkOVUPqqi7TxeFLag8EgEBWr1yrBTqDmWZ0XPOmN1Osc+fDeHCnAykLcLVV3JeiBhkVG704B5634Y9//viv395+etv5ZVnSGv5d6L7hiRNhs6uFZMrWvS/20Jx9YWwuPlNviieo8BavP/aeOziNcg2C1Vh0NEvAeeuHLMUYQHWZUtXl/hT6srkmSuZ8ZekUrwDRK4wCoKrzrHJ2gdBYkczzT14I/eRDrmlaPoPxPtGYI0PKM6VLeiEY2VPs8ZXpsplbFXu0tBZfkGnPpdN4TLOkl/J1lr5Yc3RVeR0+5Gnq4IZ+88hKoPUZWVCIi9ngOaeq+7msyj6jqiNT0zQtdMZghSDhq6JMrqDMh5o8aUJnQ0m8Ar/oQrJ0EH0FJ+8nGo8MyUuOXiswjk8/POLkfbvfXNzPazDpTzXrCZnUlpz4fmp0G/ZHDpdSYvA48Kdc65SR4yzhdOEj1OAQT/Jejbc7hxefSymOjyJwkmnvoFsMcMmAVXvBJfcyd+HHD1picgNeiLtLYN+80IC7qYrbDHfNz7DfXHEsaxB6/ZynGiNfwbuTRBDsRDNfEHFAb/GIsR4+rM0viuYAC+HPHsC1ugDmg5RqzTKWzEP/1GaM4nAsIQyLiWECFB6ckEP6HNhGcKkU0X7d6YC/lB3ohrs6gT31Hg+wonDWq877k9fLoAKl7mpCAq/gsJreY/vkObAaLq0J1COqKcErvgBQO+8SoLJMy2lY9nZtN92WqMUE66As1lysO7huo/XQ3gCT1XnjPdCFxvkssFWP9nlN4H55vznKn/IsfyDn3WUoX+MRZTnlqVPqOZB+dYG3xO6z13LrOjtwuDWdHa5z4ALAZSywSyudl8DH624rbEg4bmCsh0Xjke/QVVn3wIJnZqGsJVjExlvnpb1ZgMqkZmgsruDKMfSnROX95kyLUYh0y5jR6m9CjKMfbp63vf2L8YhvLydAS7U1ZuJReVP9kVtfRJ/2ecr1lCTcyNx+HpLNwrHUMsMRICaLBEw8C/zuiGaZyIgdnsQ0jW0T1EK1WwnwQUpru90xjNi1vAm7DCZbDs4aL3ErYIaJXs+D0pVY74nBQLG6LmgrAONsK4K8fKQexN8tBKgvQR/mOzwP3hrP0Aq4ZqjloLzjUuc07dlCl+vWCyuQ2vlcYc3VgK4jZvNRiJfghCG4g77S0QqT/dVHK2K8xNFqX3yGOrLsxrGUcwTzTLUUvDVv8hlYn7/NR1SypJfyvoT4rZpAdZopTkf8dHgRAxVJuAoQehYOmqWDGkPo3PBETcd9YSPNzLZ6vlUCdR9qvBV7vIbCvKswNlOqHkUDXpBBM1C4iOgHhSowIwhbK6uwhJkfVQzIPZTELeWsQjICdIlxgGCyNlxVfP58ctQg3akai8wFQJGfPp8cqSKXFbqZukBGmDkHVNOpv8LDzk++9SXc3lWxPhSZ0jKP4fKK2riidGqHCykHNX5jMTZQTSSNNY8h7WnMNR+Gt8UXJ0dEslxBsfF7lqaQyhjcLVJHzdjHBgmoBcfHrEFoLIVSs+U5iGvSYKgnlJ5ztRVvx7t7e8nB4OBg583ewmlzxY3F+rjwL8uL78yEUYW8XgqjmqFdeHsyQx0+r2nZ8wKdruBiiGu8ay/HOxXtjYDBNJNj11wOKjLN7elenMW0j0cxjOkrDhaTuf1uqztBDlYYZ2j+gTuvOYlT7Z03izKR2YrRONmrSZB9OtrDKaqTqpGvF7fuWbsfO+0npt3e269v4u29/Sem3msv4k5Ycuq99vajU6uEsUldU3ePjo8vgqkX4Lu/STmPTXfMoX3u3++KMTOngiKxTTXG3FsbwCOJ4mOezkuAmpVjEyqNMHkJeH1ewOsiEesFZV9CYr9mSKwl/PcbGTsfgZcA2foCZB+h+Euc7DcfJ/vIyv19wmXnI/gSNbu+qNlHKPwSPFtT8Ox8er/E0H6JXC+htH+LUFq7nn+fiNoAoe89sDZA5buMrw3h/w8Osw3I8K1G2wYg/k2CbqsYffOxt1WQv/UQ3CrE30MkbhXq7ykgdw7032lcbhWTbzw8twrwtx6lG0D8rQbrBiC+xOwuS7HvLXR3HgrfUwTvPPi/4UDeeeB+s/G884D9PsJ6n4T8243unQf2NxvkOw/Y7yXW9ynYv92Q3xLUL5G/y1HsewgAngf2NxwHHIL7nYcDB6h8N1HBDuaX4OCX4OC/OjjY8eK3HyNcTxjwc0j0Eii8OLW+arzwM8H6ehHFzwfsK8YcPx+4rxiV/FzgvrW4ZQvcNx2+/JUilBen1oR9jZv0uhsQFMj8h7QiKBD++zYlKHD8u7cnKDB9aVTw0qhgET7527cs8Jj+JzYvqNJhuJDL4ln+1pPC0rb4Ql3/INnIBt86G6/PzPjGsn6uSjaZhb4SSf68hl6+Q0K1UfX27vZzgatAt46WY2ZoR7lNMpkPavuZoIKtuACsj7ZAHDHs/xouqw0prebdbLfa+83WXnN756r19l1r793ObvR2b+e353qWQZYm0fqpfAUDk5OjdbCBhbJGUWrBzeb1hcfZm63nAs319+I+8sYOwDzjWDG8CN830LeI1g/cdRt5TJXnVqAeOQxCHhM+gA6G+p0fchD006WkL8W9YpIopkEEc22BcE6se9bHdoigYmQ6xY7aQfj5ouuRTwzkz+Pzst3LYpElZbk7okb2sozkk2qn653t52qZ90IaDaaXcMliLeQabaU6+cewiQWdeNBnkzpnybM1EmO2RVMes4Wp9PcwiP9zLOG/tQn8H2D7vhi95MXofZpB/vbW7n+8mfst2rceuK9vvfqp/2rb1AHyLVmeXqP8C+3KGRi+BavRg/RN24RPCIO/j8Ho6PPXmYMOgu/H2FucMdZgCTo4JRtypS1VbHvYy/C7x/vDfgDECfZzBWXQ9YZ3AxieQFtGLd4NHtJAwxjqtavD5y6dC2Yh95JrzWz32T5VbH+XsCwWidHsik33QUiPoKwi2CAqj0dm33WZ/sXooMcPkF5zyYY/50xO7XeNclEF6DCrJsjjoghzg5Q5DH27SSc9891N5EtkiInVePu5dnpLMWafaad63zHp8kAMLEHMra8/YHb+5fFPvfcnZ53L/0bMWeLU6IpS+9vP7/POYavzy8/vrzqdTgc+4z8/LqrswBLj6fOlmkpLLfAhll3AnGOzvGaj4Hwu28kT68ITgipCXajzvDdhXewaOQaIgC0Uz4ZB2Jx93jMJTEleGSJ3f2sAsY//ddE5O+p1f3uN/BCGVHkYuC4sL5ExO66d0maxQ5ShnRAY2Iz+6fPp1QnMBWO74dKU9Aso76jkkE+aQnUwHDbLx0zyGHAtONqMefTr+eURMvTxT72fzacS6AH3BczlCwclLOZjmhLJbLQ3GoSvWDQkNxvtjZs5AWCbv28cvruWml5LlvS0nlz3eXY9ntLJJGIP7BnV1IDhqrHR6ynno2mWUJmU1xsPVCtFXB0QNYshssSiWIz4XR0IdPp9ye44rBdYRc4FZ+arHCMf/3n6aVGAb9m0Bng/8jvWxLbcdzYWUwwgsaACbPf8w9Wvncvj68JicyL87Or6EHUXm7Z5fTI2Cs0HnjJyDMGchkHPYVJ1fc8zA6jhu4VNOqpHNaAPdVHM2GHZE7NUDTMc7FCQ3fMW7nplgvhtPocw10esnw+HQV7fFygUwrlOEp0Ftj3M4c74CoMsBnGhLIFUK+tKxVdPttL3ZRUV0+YIHzNbkmpAY3NAU83IhN8JjAqXIs8SQsmEM6hU4uAzcsydXVChBh6AQyAsA2eddMooyVDeKZuSSUrNkzwzJ8zxYdfG95KrEAQ7NLq/DCRWFowbRGnwoLnTSQygdA5MgbqCPRu5DJSawr60RfkycmOpGN14TDpGQMaSaR/Nbyh0cuEytphy/j/nfcwSJiEovUFEXzF5x2TDpQYUHKFtKHODxClnmW4Q96jZJRnTRomOBkLeU5mwpMcnETkZkKnICZ1MmK0OdHLh5LYWBfR8ctOAJw1I2qgLSDSgGCVDfscyg4KW/I7TNJ02SCbImIJqdj9ins25hskoeDn706LIZjDVu/bBdtSKtqP2nstrWkSVrtGn3ElTPCOoGjGFbCAyQxDpGMtqVliVybF/A2jlpUiu0LyE0nAF/eyohrQjlk4M2yiuc+sZBuqZqTalYQWVSwYZH4W9ZQEjNB0KyfVobPjpFVY0Y5INBLxhGMqITDj0PACL1yyBpIga6WvGxzR97zc3XwUZIvMJf4x7yJMjfB6PDEY+/Hx0phokEWPKMywG0ACbUlnNzH5lmDnlVD2jQgBfJCTaP1TB2srtk4u5yJW9C6q2UlGOv6FK18wiwHfzFsFnOnyBVv48ye0qucPEfX7iJDHP2M0O6UzuIsaVrAMPkM31wRSkbOplJBGOXnRoDCQDgE3HdMlQhKZM6gDbTGDZGUCssJwsk8EUQWKWHQ3vaZwdgCZTALjlwndOBjugkjFXcP9mFGYpUnNoaXOsqYZ71AAGu+DkqLt1ctEtfhhwye5pmhpGZn03ZFAPJXggl6mt5aYahGUJVqhJmLbpt0ZU4BGmGHl1fHT5mihw6PuEMKbjZ0himuuRqItXjbpjduqQZvxPe+AJSSaK5YnIpmO3pRAI2NLwl5GkAutjsaQkPGGtHGd5zgApXuLv0FTraiqbp0Imz7DLYqrZcK0+ufImdhNYslhl0A4VpIEy2zTFnkeOBJ4m5kwqmMPlKM4nRUdrNp4YY+ok0MhOGb1d2Fqt/Tb/CizyykU+LLtdbkeH+Ui+T0V8SyT7I2dKg+Y3yfspj8nRWRczCz9eXV10yRa5Ou1CpUQRi1QtfITUlZ7aQRxPjlBMceWyLu+5HmH+OVGxwKJDRtcdgtrodczCH+PE41zGeRbDtFsLR0GmPGaZquuiJTSb7ExW00Zd6WnJ4EmDuX7GxKEJI/SO8nRuWmRnQuMRI9vRwjF/tV4ysdKVMOAJrj1X8nWxfXF6fvjP3tFZt2c2Qe/qtLsobpLBlUxcF4Kbl24C8vny1Kwe/VIJ8XCt/erOPQ38r4aMZnijueOZah2mWLd5c1ORRMR5ke9dng3ML7MzNzcLfsqELrioYYyFsN4jJSnPbgEfjPFAAFO8nkIS9J0NUhxytq4YKDtVz6MLEmFZdM9v+YQlnEZCDrfMp62lltdoWrVVwjmb4VzFdINMRMrjaQM1E9QI8OLbnbrGrIKd/ayzHxOFx2zcLwqbFQ436wztXViR3/uAWtaidMrzb0T2g59GSB8y4WkER4IqzgQ0koLDACtMfPk4KAvM6rHQbrXw/4vSrt4YuSvYxRget0Uku+NqVnXoM4M18A54QWxDkCpq0Rdw8kEXQOHQROoW3zxhJHXsc2aRXQEZquzNDTimzG8Zod54iEWW2eUZeEUdTR4i2ZBKcLMqBuaJagTP4/r3OV7EojwdpOIe7t9kUlhMH4QkV4cXdtSGLWTmwETYYsbvinAdnnHNaUq6/31GJjS+ZfqVcvUb7aBmwAIWvMRBXvRK1+xMVkCm0wo9/r9CCji6QFQetYODx9HaQYTGOse6FYrZEv1yTDb8eBtGfsCpFgzroMhmAFdYu9/+bK1EK7yNFNeUp6o4LOyICArUms+GboGLKUI8rGukW5oA7WfAwo4YlGUHI/TfeYZMARdZ6EW0b88brCBtJnRlyAGIYLOMGPo4a1If4vBbDoXyXRm6w2iSEMXGNNM8xmulBzhjaUbYA8ZFNkpCnStwoQ3y1Dx2xw26/E9W3DQbRJnUtORjc35Q6ecYGMPZjZmhCHUHCTpC7RWm0jxNCUO3HFZ6As8A2NSBUxYINuBp6mUTnUykmEhONfO9GRYyrheuI7aU4gRcj0efXRjvli5VqKLjPh/mIlfpFLkZ3vFSHu5flU9sT7nSZtVOLhqEOj8cuI7zjD8QJQyfRIT8d0FZmt7TqUJHfPnIpvcOJsf3N5H94gZJVtbRMqNFFVfOSe7aPoCLO+KTGwPKTYRg3TRIwiYMvPlEWJ2BiCzwMJrjdCb0h6qoVOVxmegfW0wIxyE0TYWH0jo0RCbGIldWFCDdi689gFZS2IFedbpnryvleyBymcajwtOEpMTQUTbnhN5r7x/M4hy6Yb7tSgyLxxudBzjNj8P7SYhhysjp6WGJHnPCeBYJHX20guJ7CNiBkjNBLVDYk5YlUERXl+rtbtnFAoz9BciWigZAaHD8srd6yEQUcz2tq6/QIdfT+avzSWRaMppWwRGZ5hnL5tUYWgtMV/eimWI4EtQD8keai4qA2TfVfLjPOouqvmVkaiLwWalhk52sCrSQekQ6EEdD5wCZZ1pOe1yJumh+iFOQk+45EL0C4WHnUbDqYk0L0txVPqQZTaqUAllfMWcq4AyZ6IUF7MsVAEU25DpPUPlIqYYPVe/1/yUbqcg23pHmm51ov737dqfVIBsp1RvvyO5etNfaO2i/Jf9vswJkjR6pzc+KyaZTLma8tZQ48jQIRf8JqpRiQIaSZnlKZdiaTY/YlMRQ/s7o0KVqdFYJ0GUPGJeoHsYsw1sSSJRIBQaJ9ZksKoc5Pb04bhG8tChwi17SBomdjApD8M4ElJI0D6I5Adq3OcXHcNoPmXDYVl01faG0yJpJXFmbiVCapnXtss0LGB7FGlVKxLwc8eZBLjXlyo3SWOi5Nr7CB4eM6dR7tm4zcZ9BVCIxqGDxNkl+O7kgAU4EWBuUyzsqp+SeJ0angePR7mq4HsQ/q/Q72G3tLuyANWSVbMhFVqcAu4QZnpJfzZ8PH4OrJglmYZorwH7OWZ9V+c/o+X+K2X5b6zlWXTKJGd+77L1EcHGbJ52zTvDcXODtQbXVkUM4lunW+5xlQvU6XLLFL2wmX8By/n1/EeJTVKYH/enVycXdruH2k4u7/ddlPWpM4zr286fO4XxgZtzbmbCua9RWcaddfjgkb1q721C3NB8OoZryO3JszAkRa6bJK+t0bJC3zT4vFHOj677GNoVWNbKXkveC/J5PJkzGVLH/ISP2QF0QLfSjU2TI75yXMYykIw58nBjDmvMMuksayarZkMmIdPM4ZkrxO/sgGrOKTah0/fyoH3E0nYzYHOnbajVbrebeMfx7p7m9U1qpjOpohWiQzStJM2XdMZC2FroP+tQcFGedK++Vs/UlubXXisNPkInkd0bcHn367XWwnOVDB0R3KmhC+jSlWQzHXhA0ICSRIjen4Yypa/CciIXSw56VhhUSAJJxv10SoF/rGbbeTEYevL2UZTeTL1hZhhVzFS3ZQ3FAyGz+DJMs6c2zKdfbVHXEhyOmdDCpoxHO3QBEJhOWeJDzvjNF/ZJ/KFK9GkEyAwxn/VBGK9kYCBHZ56JYjDeMkNoIv5jt3YrRFTZEM2FYSxaKN7KYK6OVAHtR9H2l/NYmQ2LkgMoHA/7gR4RnXo20nrzb2sJH8IlIyOHriFxhkKQWqE498LG/pupPieLjSTolmt4W64q+spQqDcI1pX2WKtScMqEh+A1rJxvsr06PlD9HN2IR5bcbVfEXUKPEFZ7sdXKDnwSY3hsGg9zs5j9ymmLx7CDEz8VdBYp6EXCHQW7sIWYTNCggygpewyCAMqtYdo8IOcmMhkql5oEjnVQgAOFhG6qa/9vfbWyWt17AzMhTm4Ae06zwpJMyXzUCCtjWBKqKUJ+l4n4+m8/fE+V9E9J24/7+PmJU6Wg8tSMgY+DOoEpvFI3IT2zrWBxlRIvy2ogrJu64aQqdbUPl/e1I5f12afM1SkxcgFcqyGypEIyx0cA9lwmiJeWp2TITJrmY01jWILCovqfFpAdofAWpxwYDBt2EzayWUSz2r9jV6dHrBppM3l4q6O6JhqKj4S7aQAgYlnW8EmySqCogZ+f1wwZZs2aVgA++b8kIUvExoVisxGLiEb4v8U2umIzqZZnQS1ckx/pY3iB6gYjBY8cizcjpUefCiKwOYnzkhwp5ZbOKHRtTntaE3GeDAUxQbmZTAsBIzzWXCPnLbh4MwpuqOBDA6fRESFnaZ1KTY54pzSyLlWgDF4l/GQNiLEntHIhI1hZH83iHDxsrY0Np4Mpty0Vwz2FUhLNGF2q4EjhZFYg66y5ZSoHcgXwUcMRJzOspBd1h0hAKqIzQTGTTMf8ziMpGEvqPnxUb5KnZDDeABU/wxhY+GOxuvDIQi2yAazUb6Jclc/QrYwbOY6ovloBZDyvZ1YIpq0Csz7n3l0m07shYlJmtY5+KIc+qSAcijYJIq5JCirS2Cgkdl+EHDAkzuVsG8CZaeB9NBbjlfZrRHk3GPNtokA3JQIvOhj0z4BfzA8LoL1e3MAj/cl89mW7J3NuVYCId/obpEOBxKGKcgzbO91SRWKQpi6FMj/32CrqU2YEhQW0qcjLgWYKbym/xVAyV3du+/46bGxJ1MZ7uGbEubDJiYyZpWmMLp2M3R2VjcuXBf8UHUJSAPXCl1etZjZcnsE3As4RhScq1GZIMyh4p7OF0YwcEEZYIpozeWVUl39LdwV6rNSgRoxaZNKeDlY9xzDKMAkSInY3nSMIV1A2TXAWCWwww/TYTCbO3aCWUiygcX7sHGAYU8ISpOYS1r1TaT4XA2FohY3rLFOG66LwfHkGFSWH41DDkmGnJY+RZKDkxw7XlJFazYcDwj/OUSoDXD8nGXEOoTiEo/G9nQtvQMI7ZthnDoB7FWPGCwn1ZAgN8EqJE9sIyDoLQMLcLVRGqyY15z56L5piEj4b6oCjSOcZwsvOG7bH+gLUo2493D95sJ312MGi13+zS9v7Om37/7fbum8F+iR9runsqaZSO2TB2L5BOQK3Zu4o5L0KLJrszQb5DqrLlF5qm4h6X3/cNDpjZjmGT/GQOWY/erwH5sGUdB/0uLqJSaQolS8BvXeyQzLtrAvBP8NuYKsDg2FinPLY5wqVd5NSd0AOCDuNcaR9+RgLj/j2jWs0bBE1keyxB77WJr6vkHzULeVMoZpjXPjAbA31sQee6OU6WEI+m3W5lJhIJqzWuwHET9SwBU87ImYAT9L1AWeRZyYzgXnZS0an95jfYpkHSSFhzDK7JIVAPE7EbwSI41L1YLMIC+q7fnh/UHiceMpd070ZbjJdmRHIAQpWjZgAwz+KaBxkEZUa1PBgZEMz0Lnm9tJMFU9nmZqFfQuVTG2QE3lhAzs/WmPHOCumAtKnKYY3WQo8VsKN5Nsy5GvlVKzYlbGlzXpB8Ujrq7TknlAGVhOaCrTxl6ZIx5e6fvEgohp+RQmWuKQSM457XpIlSwdPYIjWmGYadKzZHTXDzNVv2n3ZZQqugyMVaA5ywcgqOP4Nr2Y6pqQoRqLwuq+nZ5wS8OFPZF435OfpsSU/wJ3SgmDtMgkmO3QKdDHAQIf0YVLIZ6GZ36COi995pTjclqXrzBalbWo65OTPrWZFfyrWk3YL4wPuSbVFdlUIGa0FSIW6NCUZtrj3TRGTpdNa2CMpXe+lepcZOtB3thnYWxOeXzKzimyesLHzK2UGuAEElWYMoBvdHKMVcPoZNVtjCi+NonmVlGCPInjCMQcsJHQ177xymYEGgftGq2i8NQlUCIkxuKarqhEgFGSJfyA0J7+VtgkiB02MpEMEsscgUT+B2ytDMqEgpz1hYtg/j//8/f6Ri8gR4RLMy3uqxCR0ZysR0vB7m+pwENj7er/ixnWUU0zB53CbHALxFkhZB9wGWfZn/nKOCxxLD3zy5v81MEEvfl0yQl0yQl0yQbyQTBPekK6NaiL2/MB0EQXpJB3lJB3lJB3lJB3lJB3lJB3lJB3lJB3lJB1k0HQT1p28kHQSAeUkH+WbSQSx3fCENwkhl8DkUx5/wGRJzUyGCuiRESwpetWz4zaeGPEqOaEV6fIOpIYubel8xP8TKB/It5YeEBuhLfshLfshLfshLfshLfshLfshLfshLfsjagHjJD1kLA77kh7zkh7zkh7zkh7zkhzxJs1LrYUTdxi1dFd88Hre0YRuXms2WUqX4YOoCzim0fIL+JzSOBRb9hdLiOBfR9EFkYjy9thBeeyXHIPzp5OrymHSurv7X4T+hHfhA0jGDJlPXWSW0yexpg28JkmJgCwdG6nirhUvfaAV9OidH3QY5++nDrw1oSfLaxaJSEovx2MhaC3JUDA3+YkAo0jTWPI5+AIh8T7KwmcyID0dWu/WFw4Uz08wYxbgI0fUGH09orK83XkelqVg8gv0c/RCSoTIpBJUUg97yDNwVoKzSeASFu33nDrhv0hhCh/M0YMHiWIwnKVd4+TIUNEXoinGvN4K+L5kRfsbgwpg5Azq2bl8oJyeTPB6NgwaPT224DJzBc7cVqu4G1+ICiWeJsYGFVET0/81irex8pUYE0NGspK27ur0CC+r7IbnItgqAF27qFOAYeZAWwBZhnoftOfwSROo9gvUcbFeDOvpPikdahUjfTwDTajFKS9PIqU61Ne3YOPEMcN3TI3bdK6a87mE3kuueOTmGGUuue/2pfcxG5svr3rWnG/QkuO51r07+FY5DVExTpiJy/DBBOYrtHN9dZ4T8ALfxXZfP0iBnImONYsxrciruG+QTS3g+bpCPfDjC11rNdgv/6iRjLim0oO6amcirdnP/Nf52dHbivtxrHuy9vs7CockP5NfjC/fAydjnsDXJIVYsf70xu7QGgtUWtf7uS0cuQAIPUdeKBIOJY5EleayLzlT29JxF9OSCPETwPwgkt90oEpKwlN8x6eRlJxumTJLjf64oM8GpENUbX1swe6FweQjsxWXJuUFecWg0ik4nzzliQHwzhtcVwk1GXI3+z6xnfmnCDHjKIgp3p2wRizopElDKxuApXDwY9Rlc3DxlsLBu6Lnpk9AaJ4VWdsz1ZbhlbEK0pPEtcpV5HcaNFm7L9hSm2iYF1hZk7Y0LIEExX0CAjv/SOvGLeJf+1PcMjMhHJtnmpoLkqazJHkY0V+AqcXoWSrpAbzKKkmSEOVEIMdQuHOcdga64d6yBeb6wLo3Ch9MgLIvldKJZUrjjGXROZg0y4knCsgaRjCb4b5Gl04ZVABrQonhOssbm7xvuWWMq4dPPaLH3xFrGImE93+AqwkzuL5jPfSFSRrN5K/cefwpVeQ55KL6FFlfEBjVUrUItc1YDUuYvY1jWly1v9LrAQeHSp8zE6KSXIgZHrGcJzONW/tFS/nbYsHJMs3xAY4MIBmAQJQb63nAo9tOKgjGZS0VVRLKU3VmrqjOZpIz8cN6FhKF5PvhxZOZk0cMkjiZSPExrWAVNdV6fxPhSI7OYSZuvwgiCMn81BjneY6RiOISIZLOZxVDSyYjHhEkJPTNdRF846h1NeRJGWApJtMyVdvORU0bvGMmzIIvINyiHV4tXXExxMb4f1pwIeRaPWHw7L7v4+PLy/LL3+ezq8nP36viod3l+flXDauZgutUVW9fF4UvJ6xDtCFqunMXZd7Inh0JOhAyjhNeItGZ0XLMUMVOsU5TAeEJaWWGTAp0AmUhh9MyokBx+0GdKkOOfP/7rt7ef3nZ+qYHqZkMspFc9cTBtdrWQTtsONuWcjUbiUfni/xezO4uuj49tUHwP4nX7jKDvCRwC2Gq+1O6tdCUPWZxhthuo/UKkNiGbgmoLRVRYfIsXJyhRqppCTUcoCKgVV2C+boA3YEOuaVrWEowBA6EhdEh5psqd3fs8M5oeOLhKZUXmilhaWqYvyM/1kbDUVHkpe+CDUX9hHHOYgQK/qAkAeYHIoqX314KZGWnNdk6h5Nu8cIq5BpAhPN/ycTWFrL8NhrEcgdZAPjEQkJuxmerGljfhZl8yRW4AiyCT3LzRZ4Qm/wZ5424zoByBebRBFM9iPxzc0WYF3D4wyVBoHVROWJBNv37/g01Exy6YQTxliMbs3lAJXQdizliqCzd/CV4U2gDm4IpYH21ETnzKqw14Q0kkQycCpqk1zDBZmKJRocvWSIzZFk2L9VqJPgaIHk6+Konmbr8jCQYwsyWcHqXRVZGFwhUeU04pKJTcjPzKs0Tcq5mgeIxnKtKKfeA6HodGZoWUj0U6L5dnRe8s0JOlgwisds3AjqqJ7T7ReATZ+sFUbjcdn36Yv6Me3u4393fXhGR/qllPyGR1tnkExfdTYz2xP3JwGovB43idcq1TRo6zhNN1aOIGvXiS96qlU9aG3OHF51L1lEdxO8k0S9eFkz2ce0mlKM2zjtTjBy0puKtAWHk3uY+WNzNuKn+wRuQEgcFyREW4ItegIPVznmosKzSe8NRKzLDp9oDeoqY6pilYE4CKkGpFL7MnDXuYCLnQdeogpVqzbP6N6qn18+FwLCEsZWZO6zYE1Xw6YWsDe8RowmRE+7xXbzPmmdoyhl07gePoParIcD84oDEjrzrvT16vGUsIWagJv48wBUZFPLYn14RGUO1z7cqI0WI1NXsxwMHOu14sWKblNEx8XlumkV2KYoKa1wMjBmreP5sbrYf2hq3/yoc8o6nHR61Fgw8xUj3a5zVh8uVt79brlGf5Aznvrnm9ajyVLes9dTCvCYmvLq3XKwT4eK3HJQ5X/3GpbJLlAnA/HjW12ckIhTvDMJQos5FHmJdA4xGxk1UZqWS53LKp9bwV1ou9s7IFlRTzgVhhzaf+lKi838SQFj8kZEZljOoRuQkxjn64WZuU8WPGI769nPQvhUOVFeMRb6o/cusx7tM+h0gOXxy2VOAuDjMw14aWOXnEZBGHwbMw645olomM2OFJTNM4T224ddGCrB6cBikd1qU7Gc7uWmaHHQ2TrR2FGuPyKxiEUVxrQ8BVI+mJwUCxRfSmteCCs9WHjeJ/LrIuzym2VcHBF3Ixk60dlRo1igomWKd0zQjccalzmvYWD5d6lkZeQcLOV875qgGf5VlrCWTWy1rD1cOzF1c0YLK/WtFAjNeraNgxn6G3LbtJLVEdLT0rrhuVmmXNDBprlTYjKlnSS3lfUslri8dzNgFOR/x05RyMAtd1oadZOqgx984NT9R03Bcppt+ZLbxWA9NAW6cXA+6I/SwNwh7iNE9csELKKPydiPnNN+5dSV64/IFwm1IdAj+wIq9cvKymMhr++boBN0J+TJ8eDqXAvTyzV/0JebUx/HOjAfc+GzjCxuvqfc8kOCGWJ/qwtiCdC8nHVE5tGuvJEXn108nR6ycvTTfbrVZ7HfK3yECqG68w7GouTuu66uRZpV7c+kLJs0p50eKWs2B6m5tTWbXtvf2dtzvrWLcxH7M6L64+nXw6RgeZu9EOI8BsTbJgNYmQRhmDyLBBSeO3CSJkpPVEvdvaur+/jzjNaCTkcAtTTADDrTFLOG2CIyj8O3oY6XH6+0nHl2klxtbhMacpuo3+p2EvnN0NVUR+NSJojNEqRpXKbD4EVy4Qtm+LbPgxx0LpouJ9iLrLTl7HstXHmp+gcOOgxI8i1jQt2HV+JavN1v5uay08uWIIz5wIHh96Y84PkWDzmzWA+pWS/+06hIdncKrecz1yocQ+fqWyPO6EXM8pJu6z2m7yQWuACTZBjZNzk+TWJeYnVK9RiaszcfBDnqbEgBtGlTVm+MLrSnPCiEr6UBIE2jwvjGhrvaz0fKt9jpJpBjGSCk6MQJs8DwODEMsbmBVatUDBI/NxTvGf9v7O23UEv2gqh0z3vh82uwKAkdGMxaGm45Rnt2uxbWvUNIAN4Lh9hfsi4RJqtln4q5l25rE14JTXptBfuaJPRpf/DLq8JIrFueR6Gkbiv+rOKPooPmtS96XSPcXYIlbjY0f0FTYZwkLncFTD1uSZZmnKh5j36zrdSCgZaa/8FB+OdLn0F1dFGuYcXbm13Wq2283W3lX7zbvtvXe7b6JWq/XbimT4RtojrAb/36WfwiIo1rROy3ZZWBGrb6Ytw1rwqGsPLdjHYSUcvtnGDythVaNh89IpYolOESst5ktribW3lnic2N9Sw4l1IFKTbF6wQ8VKGPwntbSYT4URVaNonOzVJMo/He3BzdSKpiEMoUa0XROY3Y+d9jrh3N7brw/S7b39dcK6114k5m5JWPfa2+uDVSWM1XWF1O0eHR9frAPWFRqELFI/KGgxUyoeRMTAH3NPFA9qR9vRTrSi2yqlX9XAh4vZb86+H1N5y7NhpNO6eHLjStLBgMfk1KBMLqTQIhYpRDIY+9hCoCJyyWIxHsOstiQQoZK9q1Yj+3hydYyVy366PD4+swXOPr0/vsQ/L4+PKhXJfh1xvaIbzN2o9OgiUYrrYhk3a1hUxdPDa5Nfn3Mm7GtkdB5efC5nc6Kf2deynp/RuWo65wQqkk1oVld+9IlvAYTTVK77G66rPyTB2wzAJpYfmMG2hsorE/YV6u95GszYxkuQ4IKGHodlUTaT1pzw5HG+K+eiPBPf/WgnOthvtaL2m9323sqI8/GkzvrqHQzrsqjaJBlwEZCLY9zBpJMRCwVpNqEFDTxGAriI+cU253CFdgY8GzI5kTzTWJAEarTesYzQgWaSSIZ0tC3SXXd6Y082Ac/i/JU0U17AKjKi0IItzqVkScO22L7H/i1Q9MLGS0jqq14B9HhwlcuhSBtcQXUprGPAJWNTEDVb/VQMt1BZakqmmJF5W9ut9u5Wq70FZQR5NmzaPN8mEqdpJjSH90iP0zld4OL9t62deJcdbG+3zR9JTPcO9ncoTXb2k2SwMtu4lL0ebJwaXWl+16wiJbsXnZOzq+j4X8crI26LNtWNrZ1mFaw3/OEAhdBtmQj4+3zCsHIt6WIxwxXJ8uzues80GrC/nivQvITRsLu7syKKtppvTet+VXbgFuhvKrfgVe0ulX/2cpmOaL6iC0WyAZM11lC+dOOTz5enJOXZrSvq/3TZwCd1WydNbQBhUE12y7+01Wq12ts7K2qE2JVMTiFPPZrTRn99x+W5y4SGWaAgqWYZ+pn7VLH9XcKyWCRG8pe70tjtTRywROAeF5kqfHVdpsEtffwAFsglG/6cMzm13zXKRdKgDYqaiCzxNZ7gVgGueDDw/Cad9Mx3vriTImJiF7Sfa8e6xZh9vCk1R/Mdky6V0cASpGD42mFG0b88/qn3/uSsc/nfiLm3D6uH3m8/v887h63OLz+/v+p0Oh34jP/8uE4OwEyaL5VpXWr9D10QnzELzeqbjYLzubxfT8sLTyf0q2BizLw3YdnsEnpUgGsUz4Zpcbtgn/c8BFOSV2YNur81YC2O/3XROTvqdX97jewSLFwBA9eF4gbx6DCundLWr8Huejgh8LcZ/dPn06sTmAvGdsNBaTA/4h2VHCo6pCwb6hEOm+XgYwZcC4Y3Yx79en55hPx+/FPvZ/OpBHrAnAHv+asd1+K3HBoKrSzIzUZ742ZOGP3m7xuH766lpteSJT2tJ9d9nl2Pp3QyidgDW7l2cJkfqxFH6ykCqmmWUJmU2QGTrKwMckGnapYAyDFrQnJUFAVbJ36dfl+yO7zIg7PX+RXMfJXj5uM/Tz+tCZ9bNq0BnY/8jjWhb5VRiyC0TQwgx62CS/f8w9Wvncvj60JDdMfH2dX1oTF7Mm0rJlyfjOmQYejZMRTSNtx/DpOq63ueGUANU6+JONUgwrVQxweWhsGkWEj8luEJFHbsLi379cr08iJmDt2uj1g/Hw6DDPnVCBiiUVcUEBaXs9pJhb3Wg5CKaZYx2VOaLpQ1+ph1AREyBvDOL1vHR5e2FK9L/MSW69iQ13cxGtOUx1zkKoyfhILSny9Pq7bFinja24BVcDzLbatCcCqrGdW53J3CdrfAYGqwtaDALdfVePrtFWMFagyF3biyFWlKhuJMx/7DqaHKOWAOCgPPSPfq5F9kO2pF4cVC9fbBtl4pugU10c6wX0vNBzTW+MknJFRuK7ALZNPQCB+F3hlNmiQSPxv+wr/45G43+IFP7vbtx5kxxzQOnhvnmj3gn8ZGtn9hkWr84MpN46dcptcZCYf8AeJvmzSGqBF86h6lW9MJleYtm+IvD3utg2ZQzrdy1+LxWI11cpnW3AP0CDt0usZ+Mg0aPEMX6ZQqzeMoFmGv4JOMKAFdrxW4K4xBO6ZTAiY0mLR4wZklW0Ki2wLZI50WWSx0tkmxTWawnS6wSid0lyquStH9OBROj7/BIW4wliiEEBEygBUtt0nKNZM0JScXd/t+TJbFqbA5xDe/38ApePM/N+TVyfHVB3L54dAPuv1mZ/s1whQ+GI8olD2U3gxw8Uw+79Sm+jlw/YgIdkVzLlN+dR6qPf+36Prgqe0j1P3kRTUbX+pMGjMoKKsNDLhI8vBVdXRXHVYxTfiAcE2wkUjDMHMmNGF3TE7NFJBdTGfenxncTYtNyMk4V1jiuu+b0ydzGnCjSgAP9xnZmGTDoCE6ZB1H5rv/jCxow3kDSaHiQF2Md1F0vbcCzN57wHb7x00gzrSYbMws8s0/IDPIECJssu6AXrVgBRAgT9fYZLvOdKCTAbav/nx5ioU+8I7FNl+YihwaQRRyeRqwFhR6L3wIPCM3DvkbyDmDSyddKuUsWSwypSU2GTPnRKnqCHZYLJwyEBDwqP+zLDHf7e7ubOEV0n/98aP9Hj//Q4vJ6qvqBNj3sbKbnzMfQ+FFL2wVRRSD0IuC4p7Sc0QUz3znx7HIuBaSZ0OUfF6zdrpAnxkRaxnKJlxTFbKIbQmWiqENzjavGik+0Cwj/84xWsirsngFQvVotu2I5yjfwdW/5oelyhUVdoBi76yUaQgxzoSuSsClmMuM9sjPq/PdhCoVcNPaCzDY4Z0gtMfzipF0CPg6syJngNajGYADqW+XYmMdODz7gu/LVafM+fUo8Lu7O+u/wzOY/JGz2hofgC4IE9iNmZS6TOIv1uM9D3G/t83qzWygyvn9X3B+o8LIkkLBDGeJzMlGy6ZAJsy7IHVk4doAVSCEPbJ2BDaDoTBfP9f+qUYwGSJb6l1H0H8O3SInuoAHQMcnb+zbM1EdCR/AZaGGjIk+0/csKI8ODYDuBZpf61BS0MJlkiW9es3NK9vHm4Fsd5PCWYQTN4BIkwnzMkjlffxp5qqvpHcHY+HD4MbeGAgRXoluQBp4+MXsUYL6u12MhGkmx5C8NJEs5oqlU7ui2Lgx5beYdTTJ+ymPicoHA/7gR4RnXplD5N3WFj6CT0RCDl9H5EpO3Q3wZCLFAx9TOGi5gtpqfDxJp0TT23KQrFXtzfqntM9S23TS6LBwMN+zFJvHXZ0eqUIOxiLKb+dkv6+t/6jhIxWPWH3pZF0Y/XFRD8f1rG2FUQU37+Yq+gjvIwf/GsjhWLfO7eQnAT+Lz65DZ+4fOU1R77PPgFlpDdgg28239bcVltlDzCaoPY2ErXuKpf1mtpuVFxH4hCgQl9M0sEVnIYBMfe7a9jP3uy0c7lMAwQwzyiPMHNMsE4W+W9qbjYAChatnFqE+S8X9fFExX66UZU9IW/SLUaWj8dSOgJsLpQtVeiOa9UPZUUr2POCK979umoCZVd7fNgzULgmwRkkQFOCVWrlZKgRjbKDXzZxbWlKeFo6NOQKBqhUDSQ3razHpAYJf4UBhg4ENgzLqN7KQpcsrdnV69LqBDjmfXVisSGFegmBuuDZUIGJDSRFsnzlun9l5C/9e8aRZP+CQ7/vcgTPnsSOnWInFDh/4fnVmc6WDamKyz3b49VpFD3utg4imEOloSAbho7UXz7QtTYN5rYB81e2cvY7wfhMDXlwb63ntX2muR0K6qKWwsSFERxgdORbjMfhjnTgq3PhMNcjRWZeEGBPyymb1JjGViXqNHbpKbdZZ9RJ/84fAMl9RE4YV4UrlTEYIfZ0hvW5JcCY8514dnkF1FwMEBJYEhPUkr9Dg2J5Y3Y+dbfKRD0eko1QuaRYz0mXyjsmVaziUSQN51bWTBRO5Xx2+hmD1SnDN5+76UEq40jwb5lyNWFLnoh+FE9k1P1pmzQ9//NxtkPMf3dqfZHGDnH/+EXST4sBpkMOzH5/gD7/5auATKKBQlHCoi1HcNE6Onb6epdUnw0pGAv3C2f368BNySDP+55yaIGvHMZxKkVfnKwiJk2zFfPvHSEDTXp7xui565lGCpsTMaAjyeQmKzGyV9VFFaQotEHsQ+FtfQLk/1M18eIGC8/kj/apBumBwXVQ2xaExu4TM+IqVcQDxTOgeXLstgOmjWaF8DPlBmGc029YaXXOpyIaQvJQpnoAJBz2h54TsbLearTfN9j5p7bxr773bOfjfrda71oqRPB7XPhuIhRI+l0YWi6EtgGj7oNl6C4i23+223m3vrQ1RtBx6t2zao+nQ7KHRuCZO7rjxvQN0yDIm0SzxZs4tq27iy+46TqwA1TiXs3G2a81vgfGDmvWMsDQ1D8T2pwJZ4smOiQX+sOaq+MlXIK6QJuNKT/a22+ulD3uYiGyxC/3H4vSO7RCFt5tBidKZpfbJFAvgur+3t/PGrUWWsIeZ21AR92xE28wt6VposmJhU/Di8T+9fRlwgJrQGMudcl01frZbu2/XgIliktO0V+pQtXYbOuN/5IzgVC6HDc5Lvw/mn9rgbAE5qDTL4mnhAXPFu9B3AnwyGVGbAdEgPGxoghdxLqNBgHmaGl3K2Ji+KbQfuojoqtB8b+/D+/cHh2+Ojt9/aB28bR0ctbcPDzvrkEKKDzOqc0PMmuXtSVFRdGDIG1DeAxFKn18Z5hGPmSGXCh1DqGoMRJ5BlNtPgpzSbEgO5XSihe3SMY1IlzF/nT7kepT3IUdtKFKaDbeGYqufiv7WULSj9u6WkvFWDANsGcLAv6Kh+Mfpzs6b5unOXvVWFMvpNNdzGlgnyV/jA1DeCeDAmMUVG6BEw1T0aeo12Iyt6LWdQf2vsPFrMfEdSt+CjT8r5pw7DosLPmLkd69+LJT1Bjn9sUsz8sGY71zFInACNIxxF4HJ/zV45Jux70v0WCOCf7WB/5gAKC13Tfh+A9b8DPrrwPA/zzK3VVbqVe6CtsJmUqttVfh2qcClMdXxiCUR1WLM47r1Ibz9w7mCpBpUMSEE0sLjC8Sy7I5LkY3DWFWWJbZBufTxkhBbWSFJnyZNf4e8lAvK0Qce/jrkwctme5xVaDWPSgFlPLWeQSUokFOtybgUnWqr4T9DpB5PKmUsjB2aW9wNZL7Fy3ysBwc7lLG95tt92m7u0v12s99i+81WnMQ77Z2k1e4vVfjIU8LYyV+LGGauVenBU9ZnVDffRq2o1dxubbej1l60vdNstVqt9lJ+DkeLGnP0ZkihbcYezIybJaboCPER2BqShxDOIKreJ+MP+R0EbVsyzhLK/9CDSXoyX7z9xUDSMTNbsSZqhPmzNvHST1nUtMolFqmimhkb9E8sFRinVCk+KOe5aBprHmMpQRaP0M3gL+ptrUmcKTJaop3KjsXjcjVBG4Hhqwv1XT4s1JGA3EfVIMycB1hzQhOeDZltQwUHumRaCleYJ0zKocMhogeLXPUsfDq5ujwmnaur/3X4z9KaQDu8iKac1hUesHFlJLmZ4BVT3lLBNnwDIQmFpCoxIJBZD/lsWuZw5ru02TCZEriaYm2w+BbJSEsX3TbhwLc4Mb8Z7W8akV9HkP4kNMRZcMmSRjj2VOSwSrlihJZoBjWdEGaPSlTJzNz8nWx8okMWU6nJT/D0/gZZvBQFLkZtpwisRHF0PGsJgO4hrf7KJeBJlfY/tVreS7sgoWu00zdmy019v/wOYWkVcn84OVtYVUJq110CC0guS3WwnkH7EmuHPL8a7cNhS8uwGO1L6FQXwTk9qdY0vo3GXEsGnSzhbbUFe2Jr0WUqrDuqooVtuscuHqxT3nrjaQpl7fGMAtXep/3bow8zF4qvPeHwZ1+artM9e22M+T9ylgbtqxS2JXe6vsB1wWJ/rKrvtffa+wdLESZ0K6xZgtSZpncegD2/g8BPQgxTRk5PF+76UNAlFtnALEV9m3tG0y0mJLbMIjZvLW58XE0/vFII9yHUpwgGUDFNmYqus0drVJwJTbp4PWi27pnIWIOcivuSMP3EEp6PGxAEha+1mu2WrZ6djLlET2PXzEZetZv7r/G3o7MT9+Ve82DvdbUg9/GFe+Bk7LrKkiY5ZFJTnr2uiAUDwfPXsP6SxEelZC1nrFAoKOmKphQLaPXqWeROLshDBP8rF11JWMrvmHRmXicbpkyS438u7OIrKAFxoZGNC63fcnu0jH8pPrVclNNziBg8VZRzMuJq9H+WCESa6U6I2bRsEcX0saiUzTkNdc0CuqHn5gSbI5OmadDGWpFbxiZ4ICP3QJ4vlGddWM+exU5ryft5jUUnO1BlTwwQ7WK+AOmO/9L6cYseRP0pmaRUD4QcR+Qjk2xz03BNJrImexjRXEGodWr9wii5AjvW6jDsYYK1l3gWJMu/w/rvdwxTliESOmkUBXcahGVwXcqS4nacQdUt1iAjniQsaxDJaIL/Flk6bdgzuwH1q+akQG3+vuGe3WiQDXz6GSX7ZtYvFgnr+bvlqJQm+Vh9rr4QKaPZvNV6jz9BmyesakH4wKiO/vaaK1dPoBozrmXO1oSI+Ytnw15tBuEmGoT+vt75SMzE7hA122s2o4Qr/2ipE7vtZg7yfEyzfEBjLAoCerMrk2Trg0XBmCys3GDb7GpBOpNJysgP510oQTIvxWMcmTlZ9DCJo4kUD9M1UV5TndcnDZ6uyTtzjQugzF+BQY6pMakYDiE2FeIahpJORjwmTEohVeHZC0eFiL+wBZ6QxFhC2s1HThm9YyTPinqd3Femg1eLV6qXz35YI+HzLB4xYz5VF/D48vL8svf57Oryc/fq+Kh3eX5+taYVxFu5uhqPde3lelZq3JlgiAureE1XaiLxNKKa0XHNEsJMsU4xAeMJaeUAppR64WDLskeFVPCDPlM6HP/88V+/vf30tvPLmihtmH0hHeiJw2Wzq4V0GnCw4eZFcMSjcgbpL2bnUe1U3Mc2H77n6qRAIRL4PsGsp1IF6lJuJ2RUlUr0GlVciNSWcqTW7UxgP6PjA6VF9YRf4zEIAmdFqs8/0yH5kg+5pmn5dDeGBOQV0yHlWVBDzLwBnTCmrjBvuRdFVWTS0tJ8QR6uRjZjRKymo0NNVRjHHEjY82BBtRyqNCErlt5fGhvz9prtjULxNuJnzDTFJq7QcWS+BYK/+fLsMEzsSogbDT2fQLupm7GZyldpN3uOKXIDWBQl+WydbUKTf4Mscd1pFWRGwi2PglAOOxxEnmYF3GGfiqUpm7A7Xpuj5ggGtxWdUMzZdlsh6LN8rxbvoTyLjDNU6sLHjY9Fpgom4IpYl2ZETnw4sK1+gJJFhoY6djBvYCW+oGVthRZbIzFmWzQt1ujZNDET93DCVckyd2sdQUi97cn+BF3KFbTgeHEHeKF4Zq6xwkz9HYyLKcKsfSQ1HmNGBoXUhpjrqkRdwpkJNGTp4Gs0YPtE4xHPWLkJm90px6cfHmnA9na/uXgPtjmI9acQqVZfs5X3U2O52DYEBp9HcTnlWqeMHGcJp8tqxAaleJL3agy0OLz47B2WT67NSaZ926ul8LCHZy8415Y5/o4fNGQZJChwvNvYV7EyM24qfwhG5ASBYQreKJRurGzXz3kK0VS2IRJKvdgcTrYe7YDaGzLbRgv1AFGkOSxDDvYA7cwWIMQgpVqzzH87N2YSh2MJYSmD2CB0tYFajL0/lgd1xGjCZET7vOYud7+Um9sZVuwEjpf3qJ7C1deAxoy86rw/eb0GzCCspSacPsIUGDnz2B5bAXTD4XUpCND5BWqfB3DbeVeHnGVaTiGUcQH4n1Ud0JK8mKAGugt0wtS7HzY3Wg/tDXCE+QKkDodnVLB7AgvVo31eE/Rf3rpuXU55lj+Q8+4a1qXGk9Ky1VOH5QqAf3XJuvpGth0513WE4XD1HGEK7xEXgTVjgS9sxr3tmlTZ4jxwO58RlAVYyonGI2InqzJJyQq4ZVPXSKRoX1aq5ayYHRoLSydswG0YgMr7TYym8ENCmbmMUT0iNyHG0Q83K0kKP0484ou0yp8jqUsRN2Xlc8Sb6o/cekf7rqdbwhW6BQIqWjjWwQRw9IjJIob1s7DpjmiWiYzY4UlM0zi3LWS9drpOPAYpXaj1yzISw3Bt1zIy7FCYbC1g1xidWIE6DAhaCejJaKp4TNOeGAwUqyvFqwI/zrZeDJ6feO94P+xf+TTcbjJI0V8L+DWe7BXozVBrAfqOS53TtLd4yM2zNN0K4HY+F1qzVhyWZ5slEFidbaAXxdc68GGyv/rAR4xXP/DtOM/QmZbddJaQjn6e5dYBfs3yYgb0lSUGpJ73sPIDr7+iJUxH/HRBaR2uAvxWQUmzdBC04V83Km54oqbjvrBd9M2WXNkoq7vt04dSB6XFOjf9LRoezRB6WFtwx4XkYyqnNtfg5Ii8+unk6PWTF3Wb7VarvazchHm+Ci7ZTE//Ch6rXK/xrCgnsvawYDN20WLGcTverBUMbVMmKquzvbe/83Zn2fUZ8zGr8xLl08mnY3QMudvSMCoI1aBw1YiQRimCaKFBSasmGNVfaqLDaUYh+QUzAeB42xqzhNMmOEbCv6OHkR6nv590zjp+RDEY8JjTFN0o/2O7Cvmbk4j8akTKGKMcjHqT2Rh2rlzgY9/W7PZjjoXSvrBYCXXbj2NZ6TuujwU/GQ4MV4FnRMS60p+7yn2t/d3W0ry3YrjHnGgPH6Zh5L5tUbUsvWs0xs9mZFXQPRmytosT0JUXw7AlG5dQWQZ3mi1/4oj7rLabYTjVYYJNUKfk3FykVcTzertB1ZmT5Ttmh9FFjZn19/rLnDCTko6SBEEZzwsz2VqdZVasUojKHtQp5BlK+kCrOw8DRxCzG5jVDAoxUhvm45weAO39nbfLBkpoKodM974fdroCgJGhjIavpuOUZ7dL24k1agKw3HAcvkKeT7iEAgcW5momU9Am/Ll45LUp0FcjOMUl6M6fQXeWRS5wEDH9qjujWKMIXKN6LZXuqaKP11J1g40QgQKZWYJHKWw1nmmWpnyIuZIYy4cVhH0JDNdgPZBHYXf0OXpqa7vVbLebrb2r9pt323vvdt9ErVbrtyVQHzIRxVxP64r0P3Tl4ao1NURmlNMlon0AZmHUe5bpXlzR5dYC+NW9aNoQvbhiVPjZN9V85M4WLnb5GFo1rcdZKePCTlYFX0g9Ih0o17pEaCliAgUke1yJupbo0NaoPOmewxpVizQuvQoIe117wsI9l3MOaUaXCec1cEPkaMWnVIF5yEQvjIkpWwIiG3KdJyjHUqrhQ1UG/V+ykYps4x1pvtmJ9tu7b3daDbKRUr3xjuzuRXutvYP2W/L/lhRJNRoMm58Vk03n9g5+wkwaR8OGCy73fc+GkmZ5SmWY9wW9lmMqGaafBVrXobNTdbmUCZcEo+ZZppm03XUHqRDSXvo2fPVk353TD+oq2/mLL6xO2iCxr8JZducZOpkH0yk6X3kGNSLGkF4xZMJhW9X9+kJpkTWThVtSlBdwIpSmaV07f/MChkfJTJUSMaeugjQumsOrlP6TMxUq9aDmBY2vx3TqwzF9QzJKDCowkZDkt5OLsBwuIbYxkk01vucJS6d4D+8q6Grh/qwS+WC3tbtwP4AygSUbcpHVKV4vYYanpGvz5yXiwwPga5KvFvC54vXnnPXZkjxtlLo/RVaLtjHCBBZixnfncyGKXLe2k85ZJ3huLob21N7qyCFoK3Trfc4yoXodLtnCnTMLzKG44zjZq0kcfzrag1uVJcwsV3ayXRNo3Y+d9qqwFSUxa4Bue29/Vfj22ovEWy0J3157ezX4VMJYXVce3e7R8fHFsvDxRcDyDz27dknRkK9cuISIgT96nihc0o62o51oCddNSr+qIQwXg9+EHTym8pZnw0indfHbxpWkgwGPyalBk1xIoUUsUrglNzalhWB+JSVCJXtXLW308eTqGMsg/XR5fHxmqyV9en98iX9eHh9VyhvBS0sQyF4B9OgiYWnr4g03a1jpwdPAq29fh0Um7GuktB1efC6ns6Ej1SL7yH3swzL5bBMoaTShWV3Jn1g+DtR0mKZyr9woqrlS7VKjmpg3PYPhmkpATNhXKNTl8Z4xLpdA+4KGZvpz0DQT1Zw54vG8Kwf+PxPH/WgnOthvtaL2m932wmWzS8jy8aTGIKDNDsb9uBrZmJEAtjS5OMYdSToZsVCQZhMaqcNjJICLmF9sGWNfT5lnQyYnkmcaKyNALcY7lhFo2oe9fSbcBngLSQSWXxYJawKexWEpaaa8kFRkRI26EMe5hIKZ2M7uHruQQ1a+vYyX1JfTAejxwCnXZZD25p7qUszAgEvGpiBGtvqpGG6hNtOUTDEjw7a2W+3drVZ7C+qN8WzYtMmNTSRO00xoTt2RHqdV67gV779t7cS77GB7u23+SGK6d7C/Q2mys58kg6VYxeU49WCD1Ohn8rtjFanXveicnF1Fx/9a4sSesMhWg6kbQzvNKphueAEP9VttTjv8fT5htkhlFyudLUEKIVfpivdljZ3AXndFVpfQ2Hd3F27BEaBli3TWtL6zRZj9xJvK1wetIJLKP3u5TEc0X8LXUHeR48tSfeOUZ7eu2/7TNcWe1DGdRLRRZUG5yC3/0lar1Wpv7yyhpUk25ErLKSThRmEU19qPuXOX/gmzQPVBzTJ0qvapYvu7hGWxSIzELo6HD0K67UocsETgnhWZKpxXXabBB3v8ANr/JRv+nDM5td81ypWVYgF7SGSJLx4DbnO4t8Ao4pt00jPf3RTtKMXELmI/145FizH7eJ1njtQ7Jl0emIEliJX3xYeMwn15/FPv/clZ5/K/EXNvj1UPq99+fp93DludX35+f9XpdDrwGf/5cdVVx9SGL9VkXGrND12UlzHDzIpDNwWNhWAxIdLT78LTBp0UmLUw701YKrtsHhXgFMWzYVq4z+3znm9gSvLK0L37WwPof/yvi87ZUa/722tkkWCxChi4LpQsCDSGce2UtpCGwrZPMCHwtBn90+fTqxOYC8Z2w0GdIT/iHZUcUtRTlg31CIe13SwB14LJzZhHv55fHiGPH//U+9l8KoEeMGTAb/7uImExH1fiBckrFg3JzUZ742ZOfPTm7xuH766lpteSJT2tJ9d9nl2Pp3QyidgDW6o4aJkHq+Es66kEqGmWUJmUWQCzXqyscZGIahZp5JIVEBvx2X7Ca8Gp0+9Ldoc3UnB+OtvdzFc5Pj7+8/TTCjjcsmkNKHzkd6wJVf6NCgMxUWIAyUXV/p7nH65+7VweXxcanDsOzq6uD435kWmbGn59MqZDhvFLx1AF13D2OUyqru95ZgA1DLsCQaoRZ2uhiI82DCMMsfIv9IPO7NEwb3mvV6aRFxlzaHV9xPr5cBikCz+faCHodYWbYEUqq1VU2Gh5JFRMs4zJntJ0oVS8x7R8CMswwHZ+2To+urT1NV02XQ6Vsgd5mrq+QywhY5rymItchQF2UA328+VpVcdfAjfrEl8FrzO0Sswq8DHUzgzV2XIZeFtGHqNnwc5x3TzmdLh+Pjo1xkRuXNmSGSXDzJ+hqDIeTg0lzgFbONB5hv0MtqNWFLrXH+1lUHTYaKK+b7+Wmg9orPGTjy6veOyxoWDT0AUfhSL1TZokEj8bPsK/+ORuN/iBT+727ceZMcc0Dp4b55o94J/GJrV/YYVZ/OBqxeKnXKbXGQmH/AGCMps0hrAFfOoepVXTCYzmLZviLw97rYNmUKOzct/g8Xg+u+QyjZBidZk8RzC6k1C5TAtNbuP+/j5iKVWax1EsNgJF+CQjSowZiakCl4AxJsd0iv1mwJzEG7ws2RISXQPIEum0SEOgpIQacVHqtrw8luqDLizFXSC674bC6dY3OMQNBrCEECJCBjCbVWzgTLlmkqbk5OJu34/JsjgVNjHz5vcbOMlu/ueGvDo5vvpALj8c+kG33+xsv0aYwgeLjuxONXdBND7Jz+ZeOXD9iAh2RZstU345vqk9wbIou+4p7MOT/eRFSQ5fW0kacySoiQtMt0h25lV1dFcWUjFN+IBwTbB6f8MwcCY0YXdMTs0UkL5JZ96fGdxNO2GSi4SMc4W1avsuqYYlaPow1+W4ONbh4T4jG5NsuFG0OoC0zsh89/dNMzXcNpB0GPSZXTuzXQgZ3iKZBcX7AdhW/7gJxJYWk42Zhb35B6R5GOQnVBZJghboZTL5Aek8TdeHcJ25HScDYoA18hCrHuD9g62EPhU5VGUvZO40YCGozFzY7DwjNw75G0gUggsZXarVKlksMqUlduSBJtNhCQZsM1k4QeDC+1G/Ylkavtvd3dnC65X/+uNH+z1+/ocWk+VW0gmn72M1Nz9nPi7Ai1XYEoooBuEEQcdWR9054odnvuPZWGRcC8mzIUo1rxG7s73PjPi0TGSzW6kK2cL20knF0Eb1mleNhB5olpF/5xjq4tVRvDagejRb999z0ZhZBvWv+WGpcpVFHaDYgCZl2NQ8E7oq3ZZiKDPaIz8vx2sTqlTAQWvPZLfDF41m4bhdIsQLgV1n+toMoHo0A2QgxS3JN5aF+9kXXl8uo2POoEcB3t3dWc+dloH+j5zVVpEc9DaYwG60pNRWDX+xXuJ5yPq9alZpZkNUzt3/gnMXlTuWFMpgOEtkTidaVtUzYd4FKSILtwIc4SHskdXzsesChfn6ufZPNYLJENlScyfbthpapU10AQ+Ajk/e2LdnohYSPoCLNA1h9H2m71lQ8xi6a9wLNI+WVS7Q0mSSJb16TcArcMwORwzks5sUzhOcuAGEmUyYlykq7+NPM9dgJb04GAsfBjfwxkCI8IpwA/Jvwy9mjwPUr+0CJEwzOYbMlYlkMVcsndpVxA5mKb/FlJNJ3k95TFQ+GPAHPyI888ocBO+2tvARfCIScvg6Ildy6m5EJxMpHviYwmHJFRSI4uNJOiWa3pajNK3qbdY8pX2W2u5rRt+Ew/Wepdhp6er0SBUyLhZRfjsn7XilhnuGd1Q8YvXlD3Vh9MdFNxyzs/YO3qbfvJuriCO8jxzYS5LAsWid28ZPAj4On0KFTtI/cpqijmafybDjL8jCIKUpTR0ZsBQre4jZBDWdkbDFFbEO2cy2snIhAn8MBYJymgY24SwEkCLNXYN75n631YN9nheYRkbRg5ljmmWi0E1Le7ARUKBws8wi1GepuJ8vEubLj7KMCWmLPimqdDSe2hFwE6EUoUpvRLM+IDtKya4GXPE+1E0TMLDK+9uGgdolQdUobfgCvFIPJEuFYIwN9HiZM0lLytPCwTBn41O1RLCjYXctJj1A6iscFmwwsKE9Rj1GtrG0eMWuTo9eN9AB5lPIilUoTD4Qug3X4wXEZygRgi0zx+UyO2/hTyueNGsGXPF9nylwnjx2nBQrsdjBAt8vx2Cu1kpNjPXZDr+61fKw1zqIaAqReYY0EOJYe6U/288vmNcKv1fdztnrCO8BMbjD9WSd1++Q5nokpIvKCTt/QVSA0W2xfXzqq2UG7nGmGuTorEtCjAl5ZVM0k5jKRL3G9jel3sCseqm9+UNgIS+hwcIqcKVyJiOEuM5QU7cMYWv9V4dnUDLDAAFBFAExPZkreB/bE6j7sbMNjbBJR6lc0ixmpMvkHZNLJdWXyQHJsLWTArNvXx2+hmDpSvDI5+5qaCRcaZ4Nc65GLKlzcY/CiezaHi2ztoc/fu42yPmPbo1PsrhBzj//CDpFcWg0yOHZj0/wgd9Ya+IHyGgvcurrYgg3jZNLp69n6fPJsIyRKL9wdr8aTkIOacb/nFOMYe14hVMp8up8hU1/ki2RGP0Y2jTt5Rmv60JkHvY0JWZGQ4TPS1BhZhusRgmlKfQI60EQan0Bzf4ANvPhRQPO54/fqwbpguFzUWH4Q2P+CJnxJcqNALKZ0D24hloAu0czAvkY8kowP2W2Fyu6vFKRDSHpJVM8AfMJmprOCUnZbjVbb5rtfdLaedfee7dz8L9brXetJSJVPH59NhALJfstjSBWg1oAufZBs/UWkGu/2229295bCTnU1Hu3bNqj6dDsidG4Ji7tuPG9A3HIMibRDPBmxS2rbsrL7rKnS4BenMvZOM+15kjA+EFxa0ZYmpoHYvtTgSDxpMagdX+YclX85EueVsiRcaUne9vt1WnCHiYiW+zC+rG4smM7ROEVZlBDcWZJfXD+Avjt7+3tvHH0zxL2MHMLKOKejcaauR1cmg4rVl4ELxj/09ttwUqrCY2xHiPXVQNju7X7dknoFZOcpr1Si5i126MZ/yNnBKdyeU1wtnken3+qgrMCZJnSLIunhdfIVTVC3wPww2REbRR9g/CwYwFeRrmoeAFmX2r0G2O7+U6mfugiAqlC5729D+/fHxy+OTp+/6F18LZ1cNTePjzsLCtVfJvr2mXmSVH+cGBIGlC76LUdSJNfGeaKjpkhkQqdKagKDESeQSTWT4Kc0mxIDuV0ooUtzz+NSJcxf0U85HqU9yGHaShSmg23hmKrn4r+1lC0o/bulpLxVgwDbBnCwL+iofjH6c7Om+bpzl71NhDrlTSXl+jWyfDX2NPKG9QOjFn8sNtBNExFn6Zek8zYEh7NGXT/Cnt5beayQ+NbsJdnxZZzW2EVtUcM5u7Vj4Wi3CCnP3ZpRj4YU5irWAQGdcMYUBGYz3XxwjdjK5dosCJSf7Wx/NiGLi3rGnH8BizjGZSXxeo/w8q11S3qVbiC3plmUqsBVXhy4YAaF+Qf1Va9ecPovryIibATlpv82CQSqIEImSWkz0b0jgsZZhx4n/5YJCxlVn8hn06uLo9J5+rqfx3+8/qhcxyRX0cQJyw0XJBwKGwxFTncZOWKhWPSyusFiDyJKmkK3dbe3vazqVvjObYxm37/PVEYLi4rNO4kH3iWPJvIk5Rqsx/qusUCSvtJvkdye+Bniof9EqYudX7tVjJ9On/mLhEI/iSdI1tP7PAC/4C2yTa1iMbnXfzzDMNm8cP5YMDjEqw7+3v4U5dS+4bNd6zwxObvZMP9RhZPU/bMUXfJCGAOWaob8TwGCenieGVlBikxG/LKkwxSQqC6MZ3ZR7Wm8W005loyaAbkBtgC8bj17NWpNeFvZK+FjWbwzM3qFyAk5Iqb1S1AOOS8tYAufvOK/OFG+YQlkvDDlRBpZbXMl4uuhKax5vHX0QJgqnkrEJH/rpIpoE1IMRylUQplIa/YQ/Q4k+Irauuq02q1trfI6yrF4Jd5hKnzAA+Tnx2jLkykkCaVfb06kao0Kueaz5DpK0vZXKbfErHC4auEW3SUMl1ZPAIf69fZmm62lXenG+h55HRvqa2rdmvvYA73wfePUGi9e3TNmUlPyOAnFfpnr8gjx0ptK3IoxmOaJeBy7yIW2RBrvk0kc5e+1dX6i0TFwvT8gk5dGz0Xf/cRwqq8/7WkBoQ/o+gIZ11VEodjrUbeVqv9mBCJWq2F70cfIe43LXAelynPXKqntdWal+pC3DPZHbF0cU12/lr9NeJmYVKH5H3MSKuZ1M97/+nl8IuRojNGcw0b7xSvh6B98DuCmvZMyzrD/gRKSmG0ADVvGcMsw5qYkHembE0FRQYizhURmMnrxidk4sqmc61YOoDTiUN5MPBzp1NC7wRPFOFZM2ETSG+j6VRxVYRWIwgP0V7rwI4aXgpBg2B0vNp2Sb7vcriHHSViPhnV5hXuYh6idUi78hA4JbJdkkv/NZaRCklaEZCn3d7x4dHH495lt9P79eTqY69z3O21t9/2Dv9/9r51qY1ca/T/fgoV8yOwyzS2wVxyas4ugskezs7tBDLz1ZmaArlbtjW0pY4k4zi/zmuc1ztP8pWWLq2+GNoEB0OSmprCdre0blpaS1qXVyeX5oq26YKMU0qYiqpx3A+eKXv6dtuVX5QKs2Qbp5wVr/I4JCTmwQkGtkqMzVROQUgmUwV/bENupjR1WtFVFaXLeAwFViRcN+QBDH5QSPUwyZIm7xwryIio1vI9O4uixjcuiyBZEYmPoe4hHxZoHUxuq2BN8DVB06x8keqJASDexot78SCvF+O4gJUNI8lDRkwVEYikC8PrjP4AuKpB/n9uGKZstJD7q/kJpIVzxe1xTgqaKa8Vbs6oNG5v+z2U0BExV2T904+ef8Xq7wiu+e9eMqUAHpMJZKqOB/XBw2wwH9RTF8BjSoX6mJ1Cv5W80vfrg/2Tg9fdk17v1ev+Qf/w9PDV4eu9V69fvW6fHJ027jIV8mSFjYHuZgq0DnrqXDk63T3a7R/tdnYPDw8P+93Dw+7+/km3f9TpdTt7/U6/c3Jy+qrbOJ6nxJ3VtUZqxJ9ub7+eQ56GQVuDb+dQPqrh1MOsm/3Dg9f7+/vH7d7e6evOwXH78LT7utvZ754ev9o7eXXS7nf3e6ed/sHhQe/V6cHeq9e7Jwed7snxUbd//Lpx6LDF0QS3r4hpNXE7QWaZK0EOELhPYMLVbkSFqn8BlyqHHHmqy0fOFTo5hpSYMzYU2NTvmQqCLgietFD/5Fefhdk/+XWJHAE7+d94d1Xbt1ECpqhNXqzezCuheHeibemxSUSeo4wILWpaxM7P3+zk9jVCY8wSOcbX1YJEyR7pDTqHyf6g14sPOt2D7uHRbrfbiY/2B7jbvJGhJcdDZA/0sSI7EGEf2MhQVcxM0iSZIFyZNXH3L7rtbme7rf+7gHj7l+32ci2EAny/OZtgWYTLyQV3Ids5Omg/BLJQlEisMs7vWBveMU5TrSwZOn93ZnWqImlq0qoNEDbzYsylAq2iuPkm2CudfoCwZKXIxBx2motD7UwhxSP0h6lWV4hhvsE0xQOtEnwAsx93RDTlM2r83auEaAVn2pLaQoj1SUhLVz50NDe68jH1c0Uj55rYk+VOjTyZm99AFfd5PJ34IugPpInlNDM95y6NL72qyBLvVtlp6m2HghNvvhmTNOV1DssCD77b27/898lb7cHvHu5pfyZ/8PSkf9ujni8b9/J/fuabP16+eciCHz3ZvJYWTyzTvAaHdQibf2Jp5jVUXJu4+XvlmNcg9Ngx8ytPML8D5zWIof8u2eU1ZHimQfchps8ur7yM3PNJKg8xe24Z5Qtw+3HTyRcQ5MfKJV9AhKeQSB6C/jOL/DtmkRcI/zOF/PulkBcI/8zzx+txfVrJ43U4rIML/HQyx+souDbu773Sxuswemz/90Fzxu9CcA2c3WUTxutQ+gEc1yeZKr5Kf2ZBAGPu4bjWqCN6Q5i9JmmZC02cZSmN8SCt3kRLEmfd3r5o7LkQqfAgBcXeANMB5ynBrA6hV+YnNExxAS1bVvzizTliZMQVNfdVMyyD1pHa8PQmlRKYSWg6buNhGSIM7CH9ecoYSRsvN0a+qEsXGvtdWenjcQcEvgK4SRKhD7Zeu/GxEC22hzg7fnect/zdDDvTUMwwhCdjqa3UCWFK7qhUbvtmYBqHbTPuwh+iL2M1SX/Baca2HYzbNJFbpRAp2+kjdxpSPiMCWlfUNmTa6USNhU4QOZ2sVOCoLAVRg8DZeaHdiMdWi9cXY+CUpbSxmJn79PWM+LWwLRvxW0XpsSJ+F0GyIhKvMuI35MW9eLCeEb8WzmcT8evY9JQjfkOePI+I38fkykNH/Ja480wifhtyKB/1CUb8WhxXGvF7vlRsbyWmN98jDKwVV+67xPbayf/GuysLIqsP7jUTP1hw7+7R3t5eBw/2ewe9PdLttg8GHdIZ7PUOBrv7e53mVZsMPR7qClcqPMkqsa42sHMdgnsDfB/kVncZhL97cK9FdrWBpueNQ0pLCrlGAVSCjlamAH7GQT5eHGTIgh89DrKWFk8sDrIGh3W4BHpicZA1VFybi6B7xUHWIPTY90Arj4O8A+c1uBr6LnGQNWR4ptdJIabPLg6yjNzziYMMMXtucZALcPtx4yAXEOTHioNcQISnEAcZgv4zDvI7xkEWCP8zDvL7xUEWCP/M4yDrcX1acZB1OKyDC/x04iDrKLg27u+94iDrMHps//dB4yDvQnANnN1l4yDrUPoBHNcnGQdZvKZ/aGjfGdMMZVj4qw133ZxhIW28FnzPBR1RLXwmOq3mIifqNj4cd7xYcXjgO039lH4liQmhgytsHx0Im0iI5l0ougKjCxH0Ypdh5qoh1+FUxWgBPgVsXliTneamo+v6kWEGdrQNNJIxN5X9tZpQAsck+oeF/Ng8LIi9sIL7fZ5p9xxC9cwg2ESCYojfayE5jccQCgBNJohUJjYUwgrsuHql0ZjAysUowQoPNLE/T4mYR0YucukfDo/w4dFhZ3AQx0kP/6MBSQ0W35GmZbLBZ1N3VZryyVlKELkBGqb0moQks4FqA6JdSqT4iGhSGdfJXenZkbF2q4Un7BizJDUumJ+EMkXEtg2oJImjtSzTdW8wPOoOd3sHB4PdvQTv492YHHWPkjZpk72D3f0iOR2s35mobtrG8hq+Q00NpTEdjTWxAGT93oyLazQhWE6F9ShBiL1QWgH2JA/F2G0SJWK228P2/gHG7QE+ancHBwHxpsIoLFto+NPHN/BxcaHhTx/fuBLCsN8l2kiFaj/G+eN6SrsfYqG0Q/7p4xtpriftkw54jf9AEHxN2QglfMa0eHAk4zGZkBYyRZxaKMNqbN/nyIXTNqkdbAZYkUJ+0YfRnThMRZorl41inakNLwIInTEk+YRABLTWQpqeEzw3JbBtnPrZB43tjiahpmtCBYlVOm/58wVcRM34zZEeGw4t9NgtEwfuL5HRDI4rRlzPoX+6sjWyDOVCCA1CGjB7F63hTKkiAqfo7MPNvh+TsDjl9gDx6s8r4NHVX1do8+z04jX6+PrED9o92O1uGZjCB/OzEHeeAtG/A02fTMEKsOvKgetHNGC/KG9sNRW+fJKCi2NflURAaX8NVk44E0SrtaubvMYMsUvYowayBDG8iQuvSwlOzCpRAasuqqNTiSCMQBKFqNZCNpS6peWScaXVvJhDnfUxbIPF90uDu2kzIihP0GQqFQwy0Jpcw0eS4k6Q5ySYhwcEbWRsFJTB0q9vRPq7YK53XNko5JkpAmfxArtGw5nvUg5SiTad26qwiEZft1qAuR8TyIa1jc7CgEAvWJsbo68bLQOPGWFjqypPmT2dckI0FHg0aXYIfS8Z+sCFsla3VSsIrqjMIvjlKlAyimcbJX5d/XJl7pxUwRB2QFv0PC7T9AHN1Udr/HI2NA019D6DoP/kROtNzGBTnPMp1HLPteI8kAapeBjYRRm6moo00uNdQZ4UhJuCVjUrm0o4vGQmwIkkxvED+9OpKjCk/JCST0Vcn+ziUnJyffVyb293RxIs4vG/Pv9qvzeff1E8K3DPqY9nwMEXn9iEJ9q8SnKtCKIvkSSEFSjrKVqjPShDzLRORBPOqOLa+TFKiQ/AOEr8jjsgWvtZwQFeC4JlKAoYEstQykey5fdE6HSgCEN/a/3mnQ8bYAzGSmFRhpIzIVYo/Wt+WCy1rp5h6QFtFYwpxlVVOd1LiPRoC34uyFeGpQyk5sFzkOzwed8I2ASjEgxqvLL51bg0d6BbLYE2SuBwseTtozk0eWnd8Fo4eK6nK3Ds7VVvJ/b2dgtAgV+6SpMGJrBCbH4dEGPZmF9sjl8dDn4daJqWhK2yd/0L9i5j94THNeEskdb2uGicMq7fhRUqct1jQi8C2CNr2QpznwfzDabKP9UKJjPIGsvJjwj5B5ghMslUDg+Abp68sm/HmGnt4u+YKeQ3MEWxImhA1IyQYrqmmnHjEJQ2aJPBSQRJLlfry1wEnmg+Kahg54VpfLOM5A2ppwPzU8DGiiUYjGUeBidxY8h5GKW0oRmyEX5R1qDGorR0TYgiYkIZSfTOG1NJUpscgiFR0B5h5Lfbcjoc0i9+RHgGcmJf7uyYR8wTERejrQhdiLmtToyzTPAvdGLiPajUfo6kkyydIwVea9XY1KxM8YCkEs1omoIpBvvRjKQpYH/xpi9zRRPzaHq9UVXt5SAufx4HzvGq5OAcRl+sFmHDKRvuJqrg6mWt6WngXbB1FTFzArVKIfeTgC63hrYxA+bo8xSnxgixz4D7YR2dXA/gNHXYmZN+8iUmmdnKx1x7SPq1KUus1V5ZxREcA2B3QBL4LGUI4AzS5r4b7QS/x+aE058ZKddTDmaOMWM8t8wKK6YVUCD37ssIDUhqkl2qC7h+tRc1QkhbcxSCpYomczuCEXmz5rFUG1H56MGOUvD7AFdp74i8TnJyKaeDbiSng05BrbQKyzMHz2h36wS4ePt8jA1z0KI3BiUwTXMHuGaZYtn4ylTx7BLQ+A7KnAyHJIZ8BW3xGUGx2G+Sizf9rZY5ablmfMY0CXO6554LKMWWO6kE9RYu7WCR1BwClOfND26CDmwxn4AcPG2dD/p+kbrPOdFM8cP3BbmZSiJWGI7wyQ5fY4iHEMCr7pjYfV58TgxSCNcB9rTYWY6IMmMUawWBB3xqFCc8anw4aGNHbrB3ou2JJXh/XkpsxzstH2N8Q+CUh0B4CBfBcRFTghJpzUaYBNQKF+AxMniNJk5TuCNtzBCGBH7rVZodIFCUE8u4Ri3sxpiNiIxWu+rDbtjmxJiLeU5aMHknBELj+HCRzYYZetM//qBJeGyEtu+HCpd78xLqFndITFqhABczn5rXUbLg6c3zgUN+VtmWVGP8QuZbfkvbCL5XRsVjPE4HRCh0SplUhLJliQPS/WjSC7M/tvgaEqysKXD1ktHXbQLsbZtOOZeKTHayFCutQpeWcoPFCreSkItmsmVBDBL7H1zGPvl2srbEA/SfEaZhaWFbGsLNv9GbDGHG2XxCvwbnxIb8/uMnSYbTVC/CK/1SRJMrLYPmg0bwypuZMWdDw2ecFrdCltRY7lNJkuXFtSyocZ4F8pBC6u4oZJ4c3BjEqhTeF8hVKtrzMRfWn+MCpXwUXPjKmpRoDJp2WVoInq4sldnXITKhGXomhI3JpWi+Wq1tVULnxZ8b13SAGb7EyYSyjRbaEAScOza61AMuUd3n2Vk//lrZGfg/pIGXY7+mJl4O4E8j71by/MBmXpkIT9XQK+OxlqZeDuRPY+9bjL2cjmts7uVA/jT4Qmr8ECbfY1gEYWzTem/2zcNjHsAScHA+102+iN9a7t9FEL//1uzm/7nrLtx1HYkea0P19cbXda9srrO+YSP10S8/wh6psBgR9UMeHVjU1/TcwEK3/nbEIxwaWNo8V2NiWQqspbmxLBJreVZgIfxpsnzLQYEl4hqfElgI19bs+Y5HBJYUz9j2CYOKLvHI5coEoUUo/7ZBgJEZw4UZMciThzq6E2JiyDEaCD4LMpP9Gr0Yk7nN5pBjPkN6P2FoRgYu3RZyP/RQlI3ygHSbaD/1oLpg8OYxQQnRw38vpWtnK/OSfhhzRu7wPFYCUE66avElPMSCFoBa+0ynkkoM5OOyIB9lXN/yrzRN8U4vaqNNw43/gU4+fLKcQe/PUad72THBjW9xrL/4ry10nGUp+YMM/kPVzn67F3WiTs+Dt/mf3y7evmmZd/5N4mu+5Up57HS6URu95QOakp1O77Szd2jJvbPf3rONlzzRZTTEE5quKrXk/Tky46NNFxMpSDLGqoUSMqCYtdBQEDKQSQvNKEv4TG5VCGierMD9PPIa35tSFmxkDTxn0LMwMdi31BBQEsuYsRU5M6Lzlv+Nb0iZWtdEMLIqB6yCg5nNg20qceDZohWyF+1F7e1Op7sNhTdpXIZ+rV2zb+a1S/gPOL2Iuf9VpoxzB74XZ918dj3HhCkuW2g6mDI1vW0NYzGjlTWsAVuZyS9NqPiVncfWQADLHysy4oJ+NU/wMpKUKe6Zq1W03dAGguMECvEREWsjHnQbJTLwB977xyVBQ56mfKZHth388pxkyBvb9FV+tl6ilLLplxaa4BgoyuiXPLXB0rVawOH9OZrz6YsXQu//GLIYIGDeJunYlNqUStWyCfdBVoRJ8vdDZjyban8oidCHlGBJUEoUmkrIH0CDuSYU0zNgZgpvmqlOT85bmqqZ4BmXBNEgmw4nCXRnrEbAA5pN7WUuo9UWlqrIeVPV1WlHnfKmulpQg4pddxhZ2hAITPGb1G6i1gj//c3xuybmt37OGd5Y5BmP1h2co8N2N+p8RgqPNuWWSbXKcHxNlC8ZJE2mBJaIshEUFYE+FuZPGB9LyWNq6+LpIZhLkQY/HBx1jbVfmNgX67WTmc3R9XD0K+WdyRSPNPZ1WAgSc5Ho4SgbpRZbhUeQlAXaYQqFGaBxpGPe2BQa0IB+3qZs+zMiLMaZnBooZcseI9RBhgrZ32qe0TjIDrO5CVBsBfs0d0mY5AJtkmgUof9DyHUL/UEFkWMsrrcgh5vekHSOvJMGh0YCD6GWcYkSlDEiFnLVDIHMQxa5nMESbbqsCzuq/a2I/9YCJG9Hz+Bnx10Wy1vQM9ruH06dp3OvfynzGkrjzmpkRQu66SNEHDkUHo1AF9gh3w9co69AuJ30RqGU212gRv7c43ZIL9vhMRFUTfGrwlbycodLCZWxIHCYVV5hdkyAIBhvEV+GVJAZTlPZQgKEX7bMGQhO0ACnmMVEyCW84JUdnAJCZ33jVGiRyCtBe+pX9XXTPWeFTvL7zNbFBAzgkGkZHPhUSZrcUWPca/1pyojAA+prtjr1X/lh8T6gt4HCQA3yvXDN1KiS/OWaNufHUI2SrYwBt9KCCNC0iQ+dQaD1uYjHVBHT8QoQURW6YAj+kXm26wUYgrYUibOet/363hyGNxh98HT1XOefzk+39B+mFUEKD/pB8xdc3UIu0Gu7brcKeZp5X+jPU5zO5WiKRRKZv6Ge9ucZGYxJmu0M+SVU1El3tL2XkmRE9NA7BQQvne1MZDRWkz//NwzkASsSI3/2r63aaimuepTLxKuaiS/+3HB4LXHfGqd6s3Ap1CuSEmivUJjIlyQtUEHGXOSWZYE5+XlOWOQF2m1A9+74RsqdalnZ388b18AOIF5bB7pC1eCLepLC4rN7lvRbOE5hNwxnq3t7wfKIb0g0oUoQ0zdd67CdIf4MYp7+Et+QS0g8vQyAk5exINph+vMEirP7aUPdSonZi0+/ZFxqzXHy+2mI4V8V/p4x7R29P0emswvqRp1utN8Ky5oUyWG9vI8fTpZolU2gz8GqF4jTosHdEVg+5oqTyltYU10cdSyqWR2nTUmwMstEY+4wtqph86y/5ZLsbfOKQnGKus0SmVznCJ2F6cloWryOsxPYQd3dcZWu5d2jqejPxlhdUnmplwBNtqysl2U8d/nLsn7W/6uGR9umW1C73W7cMQaqZ5LV1fo+RoKYsmOLFUzBfrbaxpQtnVBFR8b98bRwzPDSn5T4UiZMPUfiEd0eUKa/hZPfeET/pf/41dNxv9NZgoxa8C5XKvzWi+QCyRizelGt7R/VaXcOo2WEQo/PiIhuCEv4qqqkX9iiKYs2eAABGRAqaF0Qhgdp85ZAMRckGuTNZG5DZphyrGpN2HM9jKmcIDAb2VvSdtTWFnenHbVt/RP9JxoQd9Mw4VIhSW6ICGvvvdImprQjcu19aotNSiLlBK5lQWtnKafKEWVClKCxRJtYKRxfoxsIxMlPNE3Zuy9UzVsoE/SGpmREbAVhG32hiDBllLdaiE4yHKt81DCWQo/hx9WvjQQMq4eyUVEAk22fCsWbFxgBNeaXM9VBdLcTHk81ylsVS7UX9ZZjMWE3VHCmR2t06/mdeH0agnUX0zGbI1/UEaTEcqiF7sMhuLungujx5RqwSJFJxsU6cefCQnQXY+CacILV1BBakzShQUGpVmG/dryKH25dNKTwas/KwZF/57qQFE48ctd5893v/a18s4fqWwraQHsaARtAPjG7pmwER9Qbb/hso4U23pKETicbRpo3fqOj8QawQLtp6KarmerVpx8RJEGWDyAhzi+fS8FU+Vi7UdtWcZrDGWJChpQVC9vqEfKHCzwKpAieoBLxGSOJsV4wwyNz9vT67OP5RfRejEzjGbQJX2jliT6db5tO+Yyz7UzwIQ1craDlSwvNxlwrAypdvWrF0ZikGeh9OFGXJAbh1JYt6AltfWWcBfeqiuCJRDgWXBrDecZFmiwQUXaTRIxKFY34DZxZbFtVBOJaVQbmcqSZqFqWrNC68FyvtTCg/pGmHigKtwli6J8GTctTT7NMUC6osoxAgoywgDiCQAXcj4IVI15PE/up7ziH/NJrH4XHj9Bt5qTURv3WmygqtRWQms3B3MEYT0QvLHcgqRfLl1Kve1noZxmeVFLTCSOdo5SPRrYTA7p4c460MjU3OQkdUdgJXZe7vHWdpwiJp0rbeGhAGRZU2zHnO2/P3p4WZ2M2Sn3AE3gGNlCcziWUG4Zi6A5KDif6137N/uEqpoeNw0z4qjRdIfTbLaiB7e95IeLvSv8AHYWuIhjGjjjGckykk7f+6cdtwvSuUWxdr9WMjyy3pf31m1fQMgUK0BeuVwYkv0b2937m3soAol+O5Bh3e/tXWx690xvLVKzycNmwCW3leNndHeUXa7JVBMWRwvQ1MvQI6zXaA2jNbXuUha5UKqOgB9OVbdFgR4Sf45QSpixBm9+C4BQWqt5WINNgVXGfvmGVbSoXzGvrPm6eH7/bikyknp5Hohss5lrzx6XlCOaB66NpDIWAJ3C0M4BGmHoZQjSm4VzekEJLef/dOQoxRmhTDzWjaRJjkUhrlhcSOEi1beaLfwbVrxtbGb57/yO0afRdGu/X4Lymj/3y/es9/o/RulGWUWveu9HCvQ7tGpfjnunW6LsxahOqhd5/+rXUsx36M97Cab9W7svxtWnT+FYLhdYKv1MyWxKJx+7MeL+Fe8bib8BzDRo0Lod2SbKXRP2ZNnJkXF1CS5cG6Ny7Lz/j0IWAiCa9+bvt7fYB9Obffdnpvdw9Wq43v0bI3EetEiM4Y2iCTedou30I2HRe7rVfdnvLYRP0Wl914+xj313ehfyYK31VaUhfxnKJ1tQBPtDWf4WeKoxvcLGBKiRN9QOx/SnoNh/0Aw88MNSw6b72RbNet/FVQEAE8iXjrFkDp0VN9E/tEHmHByKg1HaRaSacoRlC+73e7oF3QxPypXQPzuNLEyFWvh9vjrikX5swfxHScBRBv/qLjoCXMsOxdsTQgKqqdd5t7x02P04RFKer7WtrUxbNVO5uFLYcL7b1uxscjYACkoqwODy3HtobayhZDhzPxpiZlrQtRFUQ3W28VWVPFDg4Sak2LOB6I8tM0LcfOu+QVyFsr/f61aujk4P+6avX7aPD9lG/0z05OW7etN4dW6xc0Z0VE5gLHc4dEKFG+INA8ONkQuDKJyy6brZkd8yC/s3RG8xG6AQa/KOUDgQW8widE+JvTEdUjacDiGga8RSz0c6I7wxSPtgZ8U7U2duRIt6JYYAd7bvD/6IR/+XN7u7B9pvdXrUHjzbLe/vbS6jhvFP+I7ib0vubixqKf3s/eI/fY7iT9/cmf3b//xZur40reb+O/8+yy/8z6ez/vLv5P5kO/tt65pdoQOAKG7N4zIX5uB27yEZ7b/PKPFMA4X/C2Ceu05Ddk/Tr/h7CXSHAjWea2iaPcPysQa09MYekpjGXKlDUhk44pb6JY4bV2D0cPFgDoP7XJ5kgMdxObMMNQf4iXMfAJ1rMb8LMJVgV4NP4RYpOyFeXX78YPBPfXnp4Qkcm/vIlUmJKiqMbihSG5bBY7Ffmw2Wd3CxA3fMHwmvgyn80FcAUM1kdfg1IrzkUPncrWjDofXl668iauNrcJzKiTKrgEPVOGsGxhHkXuXcRTdyyiFM+TfIVcKI/ungBgSZE4QQrXL8o3tpfTdBHXHgVAgtzfwQnySU8cOmG1E/GREoTVBaukQLm8FJEJ3gUVInNK5NM6DYexEmnu1urP3IBOdMjoLO+D1s04DqKWPH4BR1rTsFDPE1CQXUAafgjA5XD9Q5W1z58K7uDORyAeUjj7dN4hPzzS8/UQHpLczUV42C2CY7HlJHLIEv69snsC2FaddO5wiisywYK7fa3ms6aCQ5arCHj7OPL802QUW713T5H4dHa8Z1aSHh8DbJq9ULffa5ZXuY3sDv0/pimBNpKg1Iwv+kVLsdcqEujmXN7wm3HZr5trxMWbJseLFRzM118paBEzO4AFaz8j3XECghW/0ot0RZMpTXO8rOBpgsW1JKzlt5sNun9p7ONQtEv6OJ9//1L9BufafNigjNTJeBfFVgKGz26fbNHi/U58jrdgBA5ydX7by63v5lPNYOcsSEPpdVuC9D+0umaQED197XiafeN05PzMOPY9WiUEYllNJ+kkX3OpMxhYc5aGWfb+ZulKrfcN2ZcLOmLWVOo6+aGGHCeEswakneYUwQSc3K2V+flMhpMaVqdsspRv3tvdA77nfbRRjNw3p8jmCGMl6kHJOYJqV0Ht8EilSAqHjcHxs1iClSyuZfA6+mACEYUhAhYOfxP+F3NuPnv3uYqGlD5oCiUwtu1av7SnZq1APTtMlemeMaTerWz1GIOKJBxc6xUZa6ealqjw+870weeoE9n/fqJaFaZp/BV8ynOPlRnAKc8w/HDkS0fsToZTyqbyjdO5ko1LZis5AZ9+4RuwLpscj3j//+//0/a2kxVkOwe8c9v3o2Cny8nOMsoG9lnN/7ZUHUEONndc4KzKshQMtOcsq0d3AFs9cBLkkJKzPqB7iGrB1yQLKUxlsVanuibpTcfd8GiSUiW8vmkdCjw7RPn4y6YGI4Lh9P0wVEOBl4w9R1W630n9sPau4mEDiG3Upl+ua5JeF4NU0yZohOy5TZwu1fmu/cH/0UNBPbHfN/2hwZ1+2w+NlpqkyVfmpr1doYoj9y+xbQvT8NnjIjKRCGAFT44/OHVonGWv1FGC9VlKt/FfnTbuXEtbI2K+xahKYniN8NTV0+gPGchrb84a+1PtYX6cgIsLNhXS6OG1YDdv3JVYLdo/uYpv6Z4G08VT6iE3K18Bf0v8yvq21/mKHwOBYdjd54z1gwVGsoWDj/kohN4+1xkDmKLqVpLHDy7GwobhcGHHoCgbln9nPS2+5EF053ieGwr9o5xIV/exp3ZbvOEqnFO1wQlU1OmQ2GhppnjrxmIQmHwiUnV90fnkI6QYYEnRGnEhE3fA74RBV6zaUoOX+iPLZsPDqBB0g9Ood++NME3Zx/ME1ZDIZq0IFMD8vkKIEH2j5JAmXoS2kSGTPBkGqvlCQnRXn6jsMNoT87jdtu09xaXwrQvpC/FtxnMvHXH1EEu+JIzm3f9Rb1HP5AFqXdDKIRIWT0cU5Heb/ZPH9+gMZ+ZQCMznZVWgOQ2osdTUbpNLJ5kLJj1jzGBZZDjN8PSi7g99cFTNdbbgytzIxDjyjvz5StCXwylwSXhkveDBdxtdhpR0YQn0/SOm79yDr95x6QcuYjMpFoT/fYbvcLEd51GW2DvvqSsgOrevQXaBZNlRFBeFAvIv/YWzKLLwqkAcxD2FHsECNoOxsvLtxg+UYYmNE2pJDFnlYtEW2Y9srk9t098bB7yqJtjRjSD2jcmP9YUbc+XYSm41JaWwnNb3xRlgkgQbJdDB0gZMXdnmxB8ks4XQF7y1BeA/huXqsi3JsCXbjHzqxubC58UzNC8fqpj8R30hHpKNjnb7BXoOJ3huYTcPcXRRsLjjTLeUKoqiYYCj/SLl1rmm2o0KDjLixWx7IAQLoL8YOXpgvCVRrPAaCHB3TSWzP/47wAAAP//rYvZAQ==" + return "" } diff --git a/packetbeat/cmd/root.go b/packetbeat/cmd/root.go index 152e3951c508..8d6688bd51c7 100644 --- a/packetbeat/cmd/root.go +++ b/packetbeat/cmd/root.go @@ -37,7 +37,7 @@ const ( Name = "packetbeat" // ecsVersion specifies the version of ECS that Packetbeat is implementing. - ecsVersion = "1.11.0" + ecsVersion = "1.12.0" ) // withECSVersion is a modifier that adds ecs.version to events. diff --git a/packetbeat/docs/fields.asciidoc b/packetbeat/docs/fields.asciidoc index 24e1558208cf..b2566e9cdb60 100644 --- a/packetbeat/docs/fields.asciidoc +++ b/packetbeat/docs/fields.asciidoc @@ -2174,7 +2174,7 @@ For log events the message field contains the log message, optimized for viewing For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. -type: text +type: match_only_text example: Hello World @@ -2301,7 +2301,7 @@ example: Google LLC *`as.organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -2348,7 +2348,7 @@ example: Google LLC *`client.as.organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -2633,7 +2633,7 @@ example: Albert Einstein *`client.user.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -2682,6 +2682,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`client.user.name`*:: @@ -2691,14 +2693,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`client.user.name.text`*:: + -- -type: text +type: match_only_text -- @@ -2849,6 +2851,18 @@ example: lambda These fields contain information about binary code signatures. +*`code_signature.digest_algorithm`*:: ++ +-- +The hashing algorithm used to sign the process. +This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + +type: keyword + +example: sha256 + +-- + *`code_signature.exists`*:: + -- @@ -2907,6 +2921,17 @@ example: EQHXZ8M8AV -- +*`code_signature.timestamp`*:: ++ +-- +Date and time when the code signature was generated and signed. + +type: date + +example: 2021-01-01T12:10:30Z + +-- + *`code_signature.trusted`*:: + -- @@ -3086,7 +3111,7 @@ example: Google LLC *`destination.as.organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -3371,7 +3396,7 @@ example: Albert Einstein *`destination.user.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -3420,6 +3445,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`destination.user.name`*:: @@ -3429,14 +3456,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`destination.user.name.text`*:: + -- -type: text +type: match_only_text -- @@ -3462,6 +3489,18 @@ Many operating systems refer to "shared code libraries" with different names, bu * Dynamic library (`.dylib`) commonly used on macOS +*`dll.code_signature.digest_algorithm`*:: ++ +-- +The hashing algorithm used to sign the process. +This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + +type: keyword + +example: sha256 + +-- + *`dll.code_signature.exists`*:: + -- @@ -3520,6 +3559,17 @@ example: EQHXZ8M8AV -- +*`dll.code_signature.timestamp`*:: ++ +-- +Date and time when the code signature was generated and signed. + +type: date + +example: 2021-01-01T12:10:30Z + +-- + *`dll.code_signature.trusted`*:: + -- @@ -4243,7 +4293,7 @@ type: keyword -- Error message. -type: text +type: match_only_text -- @@ -4252,16 +4302,14 @@ type: text -- The stack trace of this error in plain text. -type: keyword - -Field is not indexed. +type: wildcard -- *`error.stack_trace.text`*:: + -- -type: text +type: match_only_text -- @@ -4628,6 +4676,18 @@ example: ["readonly", "system"] -- +*`file.code_signature.digest_algorithm`*:: ++ +-- +The hashing algorithm used to sign the process. +This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + +type: keyword + +example: sha256 + +-- + *`file.code_signature.exists`*:: + -- @@ -4686,6 +4746,17 @@ example: EQHXZ8M8AV -- +*`file.code_signature.timestamp`*:: ++ +-- +Date and time when the code signature was generated and signed. + +type: date + +example: 2021-01-01T12:10:30Z + +-- + *`file.code_signature.trusted`*:: + -- @@ -5057,6 +5128,19 @@ example: png -- +*`file.fork_name`*:: ++ +-- +A fork is additional data associated with a filesystem object. +On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist. +On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name. + +type: keyword + +example: Zone.Identifer + +-- + *`file.gid`*:: + -- @@ -5200,7 +5284,7 @@ example: /home/alice/example.png *`file.path.text`*:: + -- -type: text +type: match_only_text -- @@ -5306,7 +5390,7 @@ type: keyword *`file.target_path.text`*:: + -- -type: text +type: match_only_text -- @@ -6110,7 +6194,7 @@ example: Mac OS Mojave *`host.os.full.text`*:: + -- -type: text +type: match_only_text -- @@ -6139,7 +6223,7 @@ example: Mac OS X *`host.os.name.text`*:: + -- -type: text +type: match_only_text -- @@ -6232,7 +6316,7 @@ example: Albert Einstein *`host.user.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -6281,6 +6365,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`host.user.name`*:: @@ -6290,14 +6376,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`host.user.name.text`*:: + -- -type: text +type: match_only_text -- @@ -6336,7 +6422,7 @@ format: bytes -- The full HTTP request body. -type: keyword +type: wildcard example: Hello world @@ -6345,7 +6431,7 @@ example: Hello world *`http.request.body.content.text`*:: + -- -type: text +type: match_only_text -- @@ -6429,7 +6515,7 @@ format: bytes -- The full HTTP response body. -type: keyword +type: wildcard example: Hello world @@ -6438,7 +6524,7 @@ example: Hello world *`http.response.body.content.text`*:: + -- -type: text +type: match_only_text -- @@ -7247,7 +7333,7 @@ example: Mac OS Mojave *`observer.os.full.text`*:: + -- -type: text +type: match_only_text -- @@ -7276,7 +7362,7 @@ example: Mac OS X *`observer.os.name.text`*:: + -- -type: text +type: match_only_text -- @@ -7494,7 +7580,7 @@ type: keyword *`organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -7529,7 +7615,7 @@ example: Mac OS Mojave *`os.full.text`*:: + -- -type: text +type: match_only_text -- @@ -7558,7 +7644,7 @@ example: Mac OS X *`os.name.text`*:: + -- -type: text +type: match_only_text -- @@ -7864,6 +7950,18 @@ example: 4 -- +*`process.code_signature.digest_algorithm`*:: ++ +-- +The hashing algorithm used to sign the process. +This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + +type: keyword + +example: sha256 + +-- + *`process.code_signature.exists`*:: + -- @@ -7922,6 +8020,17 @@ example: EQHXZ8M8AV -- +*`process.code_signature.timestamp`*:: ++ +-- +Date and time when the code signature was generated and signed. + +type: date + +example: 2021-01-01T12:10:30Z + +-- + *`process.code_signature.trusted`*:: + -- @@ -7952,7 +8061,7 @@ example: true Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. -type: keyword +type: wildcard example: /usr/bin/ssh -l user 10.0.0.16 @@ -7961,7 +8070,7 @@ example: /usr/bin/ssh -l user 10.0.0.16 *`process.command_line.text`*:: + -- -type: text +type: match_only_text -- @@ -8246,6 +8355,17 @@ type: keyword -- +*`process.end`*:: ++ +-- +The time the process ended. + +type: date + +example: 2016-05-23T08:05:34.853Z + +-- + *`process.entity_id`*:: + -- @@ -8273,7 +8393,7 @@ example: /usr/bin/ssh *`process.executable.text`*:: + -- -type: text +type: match_only_text -- @@ -8349,7 +8469,7 @@ example: ssh *`process.name.text`*:: + -- -type: text +type: match_only_text -- @@ -8377,6 +8497,18 @@ example: 4 -- +*`process.parent.code_signature.digest_algorithm`*:: ++ +-- +The hashing algorithm used to sign the process. +This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + +type: keyword + +example: sha256 + +-- + *`process.parent.code_signature.exists`*:: + -- @@ -8435,6 +8567,17 @@ example: EQHXZ8M8AV -- +*`process.parent.code_signature.timestamp`*:: ++ +-- +Date and time when the code signature was generated and signed. + +type: date + +example: 2021-01-01T12:10:30Z + +-- + *`process.parent.code_signature.trusted`*:: + -- @@ -8465,7 +8608,7 @@ example: true Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. -type: keyword +type: wildcard example: /usr/bin/ssh -l user 10.0.0.16 @@ -8474,7 +8617,7 @@ example: /usr/bin/ssh -l user 10.0.0.16 *`process.parent.command_line.text`*:: + -- -type: text +type: match_only_text -- @@ -8759,6 +8902,17 @@ type: keyword -- +*`process.parent.end`*:: ++ +-- +The time the process ended. + +type: date + +example: 2016-05-23T08:05:34.853Z + +-- + *`process.parent.entity_id`*:: + -- @@ -8786,7 +8940,7 @@ example: /usr/bin/ssh *`process.parent.executable.text`*:: + -- -type: text +type: match_only_text -- @@ -8862,7 +9016,7 @@ example: ssh *`process.parent.name.text`*:: + -- -type: text +type: match_only_text -- @@ -9029,7 +9183,7 @@ type: keyword *`process.parent.title.text`*:: + -- -type: text +type: match_only_text -- @@ -9058,7 +9212,7 @@ example: /home/alice *`process.parent.working_directory.text`*:: + -- -type: text +type: match_only_text -- @@ -9225,7 +9379,7 @@ type: keyword *`process.title.text`*:: + -- -type: text +type: match_only_text -- @@ -9254,7 +9408,7 @@ example: /home/alice *`process.working_directory.text`*:: + -- -type: text +type: match_only_text -- @@ -9282,7 +9436,7 @@ example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). -type: keyword +type: wildcard example: ["C:\rta\red_ttp\bin\myapp.exe"] @@ -9548,7 +9702,7 @@ example: Google LLC *`server.as.organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -9833,7 +9987,7 @@ example: Albert Einstein *`server.user.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -9882,6 +10036,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`server.user.name`*:: @@ -9891,14 +10047,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`server.user.name.text`*:: + -- -type: text +type: match_only_text -- @@ -9920,6 +10076,30 @@ The service fields describe the service for or from which the data was collected These fields help you find and correlate logs for a specific service and version. +*`service.address`*:: ++ +-- +Address where data about this service was collected from. +This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). + +type: keyword + +example: 172.26.0.2:5432 + +-- + +*`service.environment`*:: ++ +-- +Identifies the environment where the service is running. +If the same service runs in different environments (production, staging, QA, development, etc.), the environment can identify other instances of the same service. Can also group services and applications from the same environment. + +type: keyword + +example: production + +-- + *`service.ephemeral_id`*:: + -- @@ -10047,7 +10227,7 @@ example: Google LLC *`source.as.organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -10332,7 +10512,7 @@ example: Albert Einstein *`source.user.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -10381,6 +10561,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`source.user.name`*:: @@ -10390,14 +10572,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`source.user.name.text`*:: + -- -type: text +type: match_only_text -- @@ -10462,7 +10644,7 @@ example: Google LLC *`threat.enrichments.indicator.as.organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -10526,6 +10708,18 @@ example: ["readonly", "system"] -- +*`threat.enrichments.indicator.file.code_signature.digest_algorithm`*:: ++ +-- +The hashing algorithm used to sign the process. +This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + +type: keyword + +example: sha256 + +-- + *`threat.enrichments.indicator.file.code_signature.exists`*:: + -- @@ -10584,6 +10778,17 @@ example: EQHXZ8M8AV -- +*`threat.enrichments.indicator.file.code_signature.timestamp`*:: ++ +-- +Date and time when the code signature was generated and signed. + +type: date + +example: 2021-01-01T12:10:30Z + +-- + *`threat.enrichments.indicator.file.code_signature.trusted`*:: + -- @@ -10955,6 +11160,19 @@ example: png -- +*`threat.enrichments.indicator.file.fork_name`*:: ++ +-- +A fork is additional data associated with a filesystem object. +On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist. +On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name. + +type: keyword + +example: Zone.Identifer + +-- + *`threat.enrichments.indicator.file.gid`*:: + -- @@ -10977,6 +11195,51 @@ example: alice -- +*`threat.enrichments.indicator.file.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`threat.enrichments.indicator.file.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`threat.enrichments.indicator.file.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`threat.enrichments.indicator.file.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + +*`threat.enrichments.indicator.file.hash.ssdeep`*:: ++ +-- +SSDEEP hash. + +type: keyword + +-- + *`threat.enrichments.indicator.file.inode`*:: + -- @@ -11053,26 +11316,104 @@ example: /home/alice/example.png *`threat.enrichments.indicator.file.path.text`*:: + -- -type: text +type: match_only_text -- -*`threat.enrichments.indicator.file.size`*:: +*`threat.enrichments.indicator.file.pe.architecture`*:: + -- -File size in bytes. -Only relevant when `file.type` is "file". +CPU architecture target for the file. -type: long +type: keyword -example: 16384 +example: x64 -- -*`threat.enrichments.indicator.file.target_path`*:: +*`threat.enrichments.indicator.file.pe.company`*:: + -- -Target path for symlinks. +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`threat.enrichments.indicator.file.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`threat.enrichments.indicator.file.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`threat.enrichments.indicator.file.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + +*`threat.enrichments.indicator.file.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`threat.enrichments.indicator.file.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + +*`threat.enrichments.indicator.file.size`*:: ++ +-- +File size in bytes. +Only relevant when `file.type` is "file". + +type: long + +example: 16384 + +-- + +*`threat.enrichments.indicator.file.target_path`*:: ++ +-- +Target path for symlinks. type: keyword @@ -11081,7 +11422,7 @@ type: keyword *`threat.enrichments.indicator.file.target_path.text`*:: + -- -type: text +type: match_only_text -- @@ -11242,51 +11583,6 @@ example: America/Argentina/Buenos_Aires -- -*`threat.enrichments.indicator.hash.md5`*:: -+ --- -MD5 hash. - -type: keyword - --- - -*`threat.enrichments.indicator.hash.sha1`*:: -+ --- -SHA1 hash. - -type: keyword - --- - -*`threat.enrichments.indicator.hash.sha256`*:: -+ --- -SHA256 hash. - -type: keyword - --- - -*`threat.enrichments.indicator.hash.sha512`*:: -+ --- -SHA512 hash. - -type: keyword - --- - -*`threat.enrichments.indicator.hash.ssdeep`*:: -+ --- -SSDEEP hash. - -type: keyword - --- - *`threat.enrichments.indicator.ip`*:: + -- @@ -11335,84 +11631,6 @@ example: 2020-11-05T17:25:47.000Z -- -*`threat.enrichments.indicator.pe.architecture`*:: -+ --- -CPU architecture target for the file. - -type: keyword - -example: x64 - --- - -*`threat.enrichments.indicator.pe.company`*:: -+ --- -Internal company name of the file, provided at compile-time. - -type: keyword - -example: Microsoft Corporation - --- - -*`threat.enrichments.indicator.pe.description`*:: -+ --- -Internal description of the file, provided at compile-time. - -type: keyword - -example: Paint - --- - -*`threat.enrichments.indicator.pe.file_version`*:: -+ --- -Internal version of the file, provided at compile-time. - -type: keyword - -example: 6.3.9600.17415 - --- - -*`threat.enrichments.indicator.pe.imphash`*:: -+ --- -A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. -Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. - -type: keyword - -example: 0c6803c4e922103c4dca5963aad36ddf - --- - -*`threat.enrichments.indicator.pe.original_file_name`*:: -+ --- -Internal name of the file, provided at compile-time. - -type: keyword - -example: MSPAINT.EXE - --- - -*`threat.enrichments.indicator.pe.product`*:: -+ --- -Internal product name of the file, provided at compile-time. - -type: keyword - -example: Microsoft® Windows® Operating System - --- - *`threat.enrichments.indicator.port`*:: + -- @@ -11464,7 +11682,7 @@ example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). -type: keyword +type: wildcard example: ["C:\rta\red_ttp\bin\myapp.exe"] @@ -11617,7 +11835,7 @@ type: keyword -- If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. -type: keyword +type: wildcard example: https://www.elastic.co:443/search?q=elasticsearch#top @@ -11626,7 +11844,7 @@ example: https://www.elastic.co:443/search?q=elasticsearch#top *`threat.enrichments.indicator.url.full.text`*:: + -- -type: text +type: match_only_text -- @@ -11637,7 +11855,7 @@ Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. -type: keyword +type: wildcard example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch @@ -11646,7 +11864,7 @@ example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elas *`threat.enrichments.indicator.url.original.text`*:: + -- -type: text +type: match_only_text -- @@ -11664,7 +11882,7 @@ type: keyword -- Path of the request, such as "/search". -type: keyword +type: wildcard -- @@ -12082,7 +12300,8 @@ example: MITRE ATT&CK *`threat.group.alias`*:: + -- -The alias(es) of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group alias(es). +The alias(es) of the group for a set of related intrusion activity that are tracked by a common name in the security community. +While not required, you can use a MITRE ATT&CK® group alias(es). type: keyword @@ -12093,7 +12312,8 @@ example: [ "Magecart Group 6" ] *`threat.group.id`*:: + -- -The id of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group id. +The id of the group for a set of related intrusion activity that are tracked by a common name in the security community. +While not required, you can use a MITRE ATT&CK® group id. type: keyword @@ -12104,7 +12324,8 @@ example: G0037 *`threat.group.name`*:: + -- -The name of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group name. +The name of the group for a set of related intrusion activity that are tracked by a common name in the security community. +While not required, you can use a MITRE ATT&CK® group name. type: keyword @@ -12115,7 +12336,8 @@ example: FIN6 *`threat.group.reference`*:: + -- -The reference URL of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group reference URL. +The reference URL of the group for a set of related intrusion activity that are tracked by a common name in the security community. +While not required, you can use a MITRE ATT&CK® group reference URL. type: keyword @@ -12148,7 +12370,7 @@ example: Google LLC *`threat.indicator.as.organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -12213,6 +12435,18 @@ example: ["readonly", "system"] -- +*`threat.indicator.file.code_signature.digest_algorithm`*:: ++ +-- +The hashing algorithm used to sign the process. +This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + +type: keyword + +example: sha256 + +-- + *`threat.indicator.file.code_signature.exists`*:: + -- @@ -12271,6 +12505,17 @@ example: EQHXZ8M8AV -- +*`threat.indicator.file.code_signature.timestamp`*:: ++ +-- +Date and time when the code signature was generated and signed. + +type: date + +example: 2021-01-01T12:10:30Z + +-- + *`threat.indicator.file.code_signature.trusted`*:: + -- @@ -12642,6 +12887,19 @@ example: png -- +*`threat.indicator.file.fork_name`*:: ++ +-- +A fork is additional data associated with a filesystem object. +On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist. +On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name. + +type: keyword + +example: Zone.Identifer + +-- + *`threat.indicator.file.gid`*:: + -- @@ -12664,6 +12922,51 @@ example: alice -- +*`threat.indicator.file.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`threat.indicator.file.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`threat.indicator.file.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`threat.indicator.file.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + +*`threat.indicator.file.hash.ssdeep`*:: ++ +-- +SSDEEP hash. + +type: keyword + +-- + *`threat.indicator.file.inode`*:: + -- @@ -12740,7 +13043,85 @@ example: /home/alice/example.png *`threat.indicator.file.path.text`*:: + -- -type: text +type: match_only_text + +-- + +*`threat.indicator.file.pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + +*`threat.indicator.file.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`threat.indicator.file.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`threat.indicator.file.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`threat.indicator.file.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + +*`threat.indicator.file.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`threat.indicator.file.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System -- @@ -12768,7 +13149,7 @@ type: keyword *`threat.indicator.file.target_path.text`*:: + -- -type: text +type: match_only_text -- @@ -12929,51 +13310,6 @@ example: America/Argentina/Buenos_Aires -- -*`threat.indicator.hash.md5`*:: -+ --- -MD5 hash. - -type: keyword - --- - -*`threat.indicator.hash.sha1`*:: -+ --- -SHA1 hash. - -type: keyword - --- - -*`threat.indicator.hash.sha256`*:: -+ --- -SHA256 hash. - -type: keyword - --- - -*`threat.indicator.hash.sha512`*:: -+ --- -SHA512 hash. - -type: keyword - --- - -*`threat.indicator.hash.ssdeep`*:: -+ --- -SSDEEP hash. - -type: keyword - --- - *`threat.indicator.ip`*:: + -- @@ -13023,84 +13359,6 @@ example: 2020-11-05T17:25:47.000Z -- -*`threat.indicator.pe.architecture`*:: -+ --- -CPU architecture target for the file. - -type: keyword - -example: x64 - --- - -*`threat.indicator.pe.company`*:: -+ --- -Internal company name of the file, provided at compile-time. - -type: keyword - -example: Microsoft Corporation - --- - -*`threat.indicator.pe.description`*:: -+ --- -Internal description of the file, provided at compile-time. - -type: keyword - -example: Paint - --- - -*`threat.indicator.pe.file_version`*:: -+ --- -Internal version of the file, provided at compile-time. - -type: keyword - -example: 6.3.9600.17415 - --- - -*`threat.indicator.pe.imphash`*:: -+ --- -A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. -Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. - -type: keyword - -example: 0c6803c4e922103c4dca5963aad36ddf - --- - -*`threat.indicator.pe.original_file_name`*:: -+ --- -Internal name of the file, provided at compile-time. - -type: keyword - -example: MSPAINT.EXE - --- - -*`threat.indicator.pe.product`*:: -+ --- -Internal product name of the file, provided at compile-time. - -type: keyword - -example: Microsoft® Windows® Operating System - --- - *`threat.indicator.port`*:: + -- @@ -13152,7 +13410,7 @@ example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). -type: keyword +type: wildcard example: ["C:\rta\red_ttp\bin\myapp.exe"] @@ -13306,7 +13564,7 @@ type: keyword -- If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. -type: keyword +type: wildcard example: https://www.elastic.co:443/search?q=elasticsearch#top @@ -13315,7 +13573,7 @@ example: https://www.elastic.co:443/search?q=elasticsearch#top *`threat.indicator.url.full.text`*:: + -- -type: text +type: match_only_text -- @@ -13326,7 +13584,7 @@ Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. -type: keyword +type: wildcard example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch @@ -13335,7 +13593,7 @@ example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elas *`threat.indicator.url.original.text`*:: + -- -type: text +type: match_only_text -- @@ -13353,7 +13611,7 @@ type: keyword -- Path of the request, such as "/search". -type: keyword +type: wildcard -- @@ -13702,10 +13960,23 @@ example: 3 -- +*`threat.software.alias`*:: ++ +-- +The alias(es) of the software for a set of related intrusion activity that are tracked by a common name in the security community. +While not required, you can use a MITRE ATT&CK® associated software description. + +type: keyword + +example: [ "X-Agent" ] + +-- + *`threat.software.id`*:: + -- -The id of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software id. +The id of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. +While not required, you can use a MITRE ATT&CK® software id. type: keyword @@ -13716,7 +13987,8 @@ example: S0552 *`threat.software.name`*:: + -- -The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software name. +The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. +While not required, you can use a MITRE ATT&CK® software name. type: keyword @@ -13727,7 +13999,7 @@ example: AdFind *`threat.software.platforms`*:: + -- -The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software platforms. +The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. Recommended Values: * AWS * Azure @@ -13740,6 +14012,8 @@ Recommended Values: * SaaS * Windows +While not required, you can use a MITRE ATT&CK® software platforms. + type: keyword example: [ "Windows" ] @@ -13749,7 +14023,8 @@ example: [ "Windows" ] *`threat.software.reference`*:: + -- -The reference URL of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software reference URL. +The reference URL of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. +While not required, you can use a MITRE ATT&CK® software reference URL. type: keyword @@ -13760,11 +14035,13 @@ example: https://attack.mitre.org/software/S0552/ *`threat.software.type`*:: + -- -The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software type. +The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. Recommended values * Malware * Tool + While not required, you can use a MITRE ATT&CK® software type. + type: keyword example: Tool @@ -13829,7 +14106,7 @@ example: Command and Scripting Interpreter *`threat.technique.name.text`*:: + -- -type: text +type: match_only_text -- @@ -13869,7 +14146,7 @@ example: PowerShell *`threat.technique.subtechnique.name.text`*:: + -- -type: text +type: match_only_text -- @@ -14817,7 +15094,7 @@ type: keyword -- If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. -type: keyword +type: wildcard example: https://www.elastic.co:443/search?q=elasticsearch#top @@ -14826,7 +15103,7 @@ example: https://www.elastic.co:443/search?q=elasticsearch#top *`url.full.text`*:: + -- -type: text +type: match_only_text -- @@ -14837,7 +15114,7 @@ Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. -type: keyword +type: wildcard example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch @@ -14846,7 +15123,7 @@ example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elas *`url.original.text`*:: + -- -type: text +type: match_only_text -- @@ -14864,7 +15141,7 @@ type: keyword -- Path of the request, such as "/search". -type: keyword +type: wildcard -- @@ -14989,7 +15266,7 @@ example: Albert Einstein *`user.changes.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -15038,6 +15315,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`user.changes.name`*:: @@ -15047,14 +15326,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`user.changes.name.text`*:: + -- -type: text +type: match_only_text -- @@ -15112,7 +15391,7 @@ example: Albert Einstein *`user.effective.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -15161,6 +15440,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`user.effective.name`*:: @@ -15170,14 +15451,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`user.effective.name.text`*:: + -- -type: text +type: match_only_text -- @@ -15215,7 +15496,7 @@ example: Albert Einstein *`user.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -15264,6 +15545,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`user.name`*:: @@ -15273,14 +15556,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`user.name.text`*:: + -- -type: text +type: match_only_text -- @@ -15328,7 +15611,7 @@ example: Albert Einstein *`user.target.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -15377,6 +15660,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`user.target.name`*:: @@ -15386,14 +15671,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`user.target.name.text`*:: + -- -type: text +type: match_only_text -- @@ -15451,7 +15736,7 @@ example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605. *`user_agent.original.text`*:: + -- -type: text +type: match_only_text -- @@ -15480,7 +15765,7 @@ example: Mac OS Mojave *`user_agent.os.full.text`*:: + -- -type: text +type: match_only_text -- @@ -15509,7 +15794,7 @@ example: Mac OS X *`user_agent.os.name.text`*:: + -- -type: text +type: match_only_text -- @@ -15633,7 +15918,7 @@ example: In macOS before 2.12.6, there is a vulnerability in the RPC... *`vulnerability.description.text`*:: + -- -type: text +type: match_only_text -- diff --git a/packetbeat/include/fields.go b/packetbeat/include/fields.go index 22384e3ae409..d5fc9f86ff34 100644 --- a/packetbeat/include/fields.go +++ b/packetbeat/include/fields.go @@ -32,5 +32,5 @@ func init() { // AssetFieldsYml returns asset data. // This is the base64 encoded zlib format compressed contents of fields.yml. func AssetFieldsYml() string { - return "" + return "" } diff --git a/winlogbeat/cmd/root.go b/winlogbeat/cmd/root.go index 73ade61f394e..ce5f5e9d9819 100644 --- a/winlogbeat/cmd/root.go +++ b/winlogbeat/cmd/root.go @@ -37,7 +37,7 @@ const ( Name = "winlogbeat" // ecsVersion specifies the version of ECS that Winlogbeat is implementing. - ecsVersion = "1.11.0" + ecsVersion = "1.12.0" ) // withECSVersion is a modifier that adds ecs.version to events. diff --git a/winlogbeat/docs/fields.asciidoc b/winlogbeat/docs/fields.asciidoc index c408b520fcd9..bdfc76c59e00 100644 --- a/winlogbeat/docs/fields.asciidoc +++ b/winlogbeat/docs/fields.asciidoc @@ -266,7 +266,7 @@ For log events the message field contains the log message, optimized for viewing For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. -type: text +type: match_only_text example: Hello World @@ -393,7 +393,7 @@ example: Google LLC *`as.organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -440,7 +440,7 @@ example: Google LLC *`client.as.organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -725,7 +725,7 @@ example: Albert Einstein *`client.user.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -774,6 +774,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`client.user.name`*:: @@ -783,14 +785,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`client.user.name.text`*:: + -- -type: text +type: match_only_text -- @@ -941,6 +943,18 @@ example: lambda These fields contain information about binary code signatures. +*`code_signature.digest_algorithm`*:: ++ +-- +The hashing algorithm used to sign the process. +This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + +type: keyword + +example: sha256 + +-- + *`code_signature.exists`*:: + -- @@ -999,6 +1013,17 @@ example: EQHXZ8M8AV -- +*`code_signature.timestamp`*:: ++ +-- +Date and time when the code signature was generated and signed. + +type: date + +example: 2021-01-01T12:10:30Z + +-- + *`code_signature.trusted`*:: + -- @@ -1178,7 +1203,7 @@ example: Google LLC *`destination.as.organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -1463,7 +1488,7 @@ example: Albert Einstein *`destination.user.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -1512,6 +1537,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`destination.user.name`*:: @@ -1521,14 +1548,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`destination.user.name.text`*:: + -- -type: text +type: match_only_text -- @@ -1554,6 +1581,18 @@ Many operating systems refer to "shared code libraries" with different names, bu * Dynamic library (`.dylib`) commonly used on macOS +*`dll.code_signature.digest_algorithm`*:: ++ +-- +The hashing algorithm used to sign the process. +This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + +type: keyword + +example: sha256 + +-- + *`dll.code_signature.exists`*:: + -- @@ -1612,6 +1651,17 @@ example: EQHXZ8M8AV -- +*`dll.code_signature.timestamp`*:: ++ +-- +Date and time when the code signature was generated and signed. + +type: date + +example: 2021-01-01T12:10:30Z + +-- + *`dll.code_signature.trusted`*:: + -- @@ -2335,7 +2385,7 @@ type: keyword -- Error message. -type: text +type: match_only_text -- @@ -2344,16 +2394,14 @@ type: text -- The stack trace of this error in plain text. -type: keyword - -Field is not indexed. +type: wildcard -- *`error.stack_trace.text`*:: + -- -type: text +type: match_only_text -- @@ -2720,6 +2768,18 @@ example: ["readonly", "system"] -- +*`file.code_signature.digest_algorithm`*:: ++ +-- +The hashing algorithm used to sign the process. +This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + +type: keyword + +example: sha256 + +-- + *`file.code_signature.exists`*:: + -- @@ -2778,6 +2838,17 @@ example: EQHXZ8M8AV -- +*`file.code_signature.timestamp`*:: ++ +-- +Date and time when the code signature was generated and signed. + +type: date + +example: 2021-01-01T12:10:30Z + +-- + *`file.code_signature.trusted`*:: + -- @@ -3149,6 +3220,19 @@ example: png -- +*`file.fork_name`*:: ++ +-- +A fork is additional data associated with a filesystem object. +On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist. +On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name. + +type: keyword + +example: Zone.Identifer + +-- + *`file.gid`*:: + -- @@ -3292,7 +3376,7 @@ example: /home/alice/example.png *`file.path.text`*:: + -- -type: text +type: match_only_text -- @@ -3398,7 +3482,7 @@ type: keyword *`file.target_path.text`*:: + -- -type: text +type: match_only_text -- @@ -4202,7 +4286,7 @@ example: Mac OS Mojave *`host.os.full.text`*:: + -- -type: text +type: match_only_text -- @@ -4231,7 +4315,7 @@ example: Mac OS X *`host.os.name.text`*:: + -- -type: text +type: match_only_text -- @@ -4324,7 +4408,7 @@ example: Albert Einstein *`host.user.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -4373,6 +4457,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`host.user.name`*:: @@ -4382,14 +4468,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`host.user.name.text`*:: + -- -type: text +type: match_only_text -- @@ -4428,7 +4514,7 @@ format: bytes -- The full HTTP request body. -type: keyword +type: wildcard example: Hello world @@ -4437,7 +4523,7 @@ example: Hello world *`http.request.body.content.text`*:: + -- -type: text +type: match_only_text -- @@ -4521,7 +4607,7 @@ format: bytes -- The full HTTP response body. -type: keyword +type: wildcard example: Hello world @@ -4530,7 +4616,7 @@ example: Hello world *`http.response.body.content.text`*:: + -- -type: text +type: match_only_text -- @@ -5339,7 +5425,7 @@ example: Mac OS Mojave *`observer.os.full.text`*:: + -- -type: text +type: match_only_text -- @@ -5368,7 +5454,7 @@ example: Mac OS X *`observer.os.name.text`*:: + -- -type: text +type: match_only_text -- @@ -5586,7 +5672,7 @@ type: keyword *`organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -5621,7 +5707,7 @@ example: Mac OS Mojave *`os.full.text`*:: + -- -type: text +type: match_only_text -- @@ -5650,7 +5736,7 @@ example: Mac OS X *`os.name.text`*:: + -- -type: text +type: match_only_text -- @@ -5956,6 +6042,18 @@ example: 4 -- +*`process.code_signature.digest_algorithm`*:: ++ +-- +The hashing algorithm used to sign the process. +This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + +type: keyword + +example: sha256 + +-- + *`process.code_signature.exists`*:: + -- @@ -6014,6 +6112,17 @@ example: EQHXZ8M8AV -- +*`process.code_signature.timestamp`*:: ++ +-- +Date and time when the code signature was generated and signed. + +type: date + +example: 2021-01-01T12:10:30Z + +-- + *`process.code_signature.trusted`*:: + -- @@ -6044,7 +6153,7 @@ example: true Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. -type: keyword +type: wildcard example: /usr/bin/ssh -l user 10.0.0.16 @@ -6053,7 +6162,7 @@ example: /usr/bin/ssh -l user 10.0.0.16 *`process.command_line.text`*:: + -- -type: text +type: match_only_text -- @@ -6338,6 +6447,17 @@ type: keyword -- +*`process.end`*:: ++ +-- +The time the process ended. + +type: date + +example: 2016-05-23T08:05:34.853Z + +-- + *`process.entity_id`*:: + -- @@ -6365,7 +6485,7 @@ example: /usr/bin/ssh *`process.executable.text`*:: + -- -type: text +type: match_only_text -- @@ -6441,7 +6561,7 @@ example: ssh *`process.name.text`*:: + -- -type: text +type: match_only_text -- @@ -6469,6 +6589,18 @@ example: 4 -- +*`process.parent.code_signature.digest_algorithm`*:: ++ +-- +The hashing algorithm used to sign the process. +This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + +type: keyword + +example: sha256 + +-- + *`process.parent.code_signature.exists`*:: + -- @@ -6527,6 +6659,17 @@ example: EQHXZ8M8AV -- +*`process.parent.code_signature.timestamp`*:: ++ +-- +Date and time when the code signature was generated and signed. + +type: date + +example: 2021-01-01T12:10:30Z + +-- + *`process.parent.code_signature.trusted`*:: + -- @@ -6557,7 +6700,7 @@ example: true Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. -type: keyword +type: wildcard example: /usr/bin/ssh -l user 10.0.0.16 @@ -6566,7 +6709,7 @@ example: /usr/bin/ssh -l user 10.0.0.16 *`process.parent.command_line.text`*:: + -- -type: text +type: match_only_text -- @@ -6851,6 +6994,17 @@ type: keyword -- +*`process.parent.end`*:: ++ +-- +The time the process ended. + +type: date + +example: 2016-05-23T08:05:34.853Z + +-- + *`process.parent.entity_id`*:: + -- @@ -6878,7 +7032,7 @@ example: /usr/bin/ssh *`process.parent.executable.text`*:: + -- -type: text +type: match_only_text -- @@ -6954,7 +7108,7 @@ example: ssh *`process.parent.name.text`*:: + -- -type: text +type: match_only_text -- @@ -7121,7 +7275,7 @@ type: keyword *`process.parent.title.text`*:: + -- -type: text +type: match_only_text -- @@ -7150,7 +7304,7 @@ example: /home/alice *`process.parent.working_directory.text`*:: + -- -type: text +type: match_only_text -- @@ -7317,7 +7471,7 @@ type: keyword *`process.title.text`*:: + -- -type: text +type: match_only_text -- @@ -7346,7 +7500,7 @@ example: /home/alice *`process.working_directory.text`*:: + -- -type: text +type: match_only_text -- @@ -7374,7 +7528,7 @@ example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). -type: keyword +type: wildcard example: ["C:\rta\red_ttp\bin\myapp.exe"] @@ -7640,7 +7794,7 @@ example: Google LLC *`server.as.organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -7925,7 +8079,7 @@ example: Albert Einstein *`server.user.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -7974,6 +8128,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`server.user.name`*:: @@ -7983,14 +8139,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`server.user.name.text`*:: + -- -type: text +type: match_only_text -- @@ -8012,6 +8168,30 @@ The service fields describe the service for or from which the data was collected These fields help you find and correlate logs for a specific service and version. +*`service.address`*:: ++ +-- +Address where data about this service was collected from. +This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). + +type: keyword + +example: 172.26.0.2:5432 + +-- + +*`service.environment`*:: ++ +-- +Identifies the environment where the service is running. +If the same service runs in different environments (production, staging, QA, development, etc.), the environment can identify other instances of the same service. Can also group services and applications from the same environment. + +type: keyword + +example: production + +-- + *`service.ephemeral_id`*:: + -- @@ -8139,7 +8319,7 @@ example: Google LLC *`source.as.organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -8424,7 +8604,7 @@ example: Albert Einstein *`source.user.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -8473,6 +8653,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`source.user.name`*:: @@ -8482,14 +8664,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`source.user.name.text`*:: + -- -type: text +type: match_only_text -- @@ -8554,7 +8736,7 @@ example: Google LLC *`threat.enrichments.indicator.as.organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -8618,6 +8800,18 @@ example: ["readonly", "system"] -- +*`threat.enrichments.indicator.file.code_signature.digest_algorithm`*:: ++ +-- +The hashing algorithm used to sign the process. +This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + +type: keyword + +example: sha256 + +-- + *`threat.enrichments.indicator.file.code_signature.exists`*:: + -- @@ -8676,6 +8870,17 @@ example: EQHXZ8M8AV -- +*`threat.enrichments.indicator.file.code_signature.timestamp`*:: ++ +-- +Date and time when the code signature was generated and signed. + +type: date + +example: 2021-01-01T12:10:30Z + +-- + *`threat.enrichments.indicator.file.code_signature.trusted`*:: + -- @@ -9047,6 +9252,19 @@ example: png -- +*`threat.enrichments.indicator.file.fork_name`*:: ++ +-- +A fork is additional data associated with a filesystem object. +On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist. +On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name. + +type: keyword + +example: Zone.Identifer + +-- + *`threat.enrichments.indicator.file.gid`*:: + -- @@ -9069,6 +9287,51 @@ example: alice -- +*`threat.enrichments.indicator.file.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`threat.enrichments.indicator.file.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`threat.enrichments.indicator.file.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`threat.enrichments.indicator.file.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + +*`threat.enrichments.indicator.file.hash.ssdeep`*:: ++ +-- +SSDEEP hash. + +type: keyword + +-- + *`threat.enrichments.indicator.file.inode`*:: + -- @@ -9145,26 +9408,104 @@ example: /home/alice/example.png *`threat.enrichments.indicator.file.path.text`*:: + -- -type: text +type: match_only_text -- -*`threat.enrichments.indicator.file.size`*:: +*`threat.enrichments.indicator.file.pe.architecture`*:: + -- -File size in bytes. -Only relevant when `file.type` is "file". +CPU architecture target for the file. -type: long +type: keyword -example: 16384 +example: x64 -- -*`threat.enrichments.indicator.file.target_path`*:: +*`threat.enrichments.indicator.file.pe.company`*:: + -- -Target path for symlinks. +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`threat.enrichments.indicator.file.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`threat.enrichments.indicator.file.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`threat.enrichments.indicator.file.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + +*`threat.enrichments.indicator.file.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`threat.enrichments.indicator.file.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + +*`threat.enrichments.indicator.file.size`*:: ++ +-- +File size in bytes. +Only relevant when `file.type` is "file". + +type: long + +example: 16384 + +-- + +*`threat.enrichments.indicator.file.target_path`*:: ++ +-- +Target path for symlinks. type: keyword @@ -9173,7 +9514,7 @@ type: keyword *`threat.enrichments.indicator.file.target_path.text`*:: + -- -type: text +type: match_only_text -- @@ -9334,51 +9675,6 @@ example: America/Argentina/Buenos_Aires -- -*`threat.enrichments.indicator.hash.md5`*:: -+ --- -MD5 hash. - -type: keyword - --- - -*`threat.enrichments.indicator.hash.sha1`*:: -+ --- -SHA1 hash. - -type: keyword - --- - -*`threat.enrichments.indicator.hash.sha256`*:: -+ --- -SHA256 hash. - -type: keyword - --- - -*`threat.enrichments.indicator.hash.sha512`*:: -+ --- -SHA512 hash. - -type: keyword - --- - -*`threat.enrichments.indicator.hash.ssdeep`*:: -+ --- -SSDEEP hash. - -type: keyword - --- - *`threat.enrichments.indicator.ip`*:: + -- @@ -9427,84 +9723,6 @@ example: 2020-11-05T17:25:47.000Z -- -*`threat.enrichments.indicator.pe.architecture`*:: -+ --- -CPU architecture target for the file. - -type: keyword - -example: x64 - --- - -*`threat.enrichments.indicator.pe.company`*:: -+ --- -Internal company name of the file, provided at compile-time. - -type: keyword - -example: Microsoft Corporation - --- - -*`threat.enrichments.indicator.pe.description`*:: -+ --- -Internal description of the file, provided at compile-time. - -type: keyword - -example: Paint - --- - -*`threat.enrichments.indicator.pe.file_version`*:: -+ --- -Internal version of the file, provided at compile-time. - -type: keyword - -example: 6.3.9600.17415 - --- - -*`threat.enrichments.indicator.pe.imphash`*:: -+ --- -A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. -Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. - -type: keyword - -example: 0c6803c4e922103c4dca5963aad36ddf - --- - -*`threat.enrichments.indicator.pe.original_file_name`*:: -+ --- -Internal name of the file, provided at compile-time. - -type: keyword - -example: MSPAINT.EXE - --- - -*`threat.enrichments.indicator.pe.product`*:: -+ --- -Internal product name of the file, provided at compile-time. - -type: keyword - -example: Microsoft® Windows® Operating System - --- - *`threat.enrichments.indicator.port`*:: + -- @@ -9556,7 +9774,7 @@ example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). -type: keyword +type: wildcard example: ["C:\rta\red_ttp\bin\myapp.exe"] @@ -9709,7 +9927,7 @@ type: keyword -- If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. -type: keyword +type: wildcard example: https://www.elastic.co:443/search?q=elasticsearch#top @@ -9718,7 +9936,7 @@ example: https://www.elastic.co:443/search?q=elasticsearch#top *`threat.enrichments.indicator.url.full.text`*:: + -- -type: text +type: match_only_text -- @@ -9729,7 +9947,7 @@ Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. -type: keyword +type: wildcard example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch @@ -9738,7 +9956,7 @@ example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elas *`threat.enrichments.indicator.url.original.text`*:: + -- -type: text +type: match_only_text -- @@ -9756,7 +9974,7 @@ type: keyword -- Path of the request, such as "/search". -type: keyword +type: wildcard -- @@ -10174,7 +10392,8 @@ example: MITRE ATT&CK *`threat.group.alias`*:: + -- -The alias(es) of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group alias(es). +The alias(es) of the group for a set of related intrusion activity that are tracked by a common name in the security community. +While not required, you can use a MITRE ATT&CK® group alias(es). type: keyword @@ -10185,7 +10404,8 @@ example: [ "Magecart Group 6" ] *`threat.group.id`*:: + -- -The id of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group id. +The id of the group for a set of related intrusion activity that are tracked by a common name in the security community. +While not required, you can use a MITRE ATT&CK® group id. type: keyword @@ -10196,7 +10416,8 @@ example: G0037 *`threat.group.name`*:: + -- -The name of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group name. +The name of the group for a set of related intrusion activity that are tracked by a common name in the security community. +While not required, you can use a MITRE ATT&CK® group name. type: keyword @@ -10207,7 +10428,8 @@ example: FIN6 *`threat.group.reference`*:: + -- -The reference URL of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group reference URL. +The reference URL of the group for a set of related intrusion activity that are tracked by a common name in the security community. +While not required, you can use a MITRE ATT&CK® group reference URL. type: keyword @@ -10240,7 +10462,7 @@ example: Google LLC *`threat.indicator.as.organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -10305,6 +10527,18 @@ example: ["readonly", "system"] -- +*`threat.indicator.file.code_signature.digest_algorithm`*:: ++ +-- +The hashing algorithm used to sign the process. +This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + +type: keyword + +example: sha256 + +-- + *`threat.indicator.file.code_signature.exists`*:: + -- @@ -10363,6 +10597,17 @@ example: EQHXZ8M8AV -- +*`threat.indicator.file.code_signature.timestamp`*:: ++ +-- +Date and time when the code signature was generated and signed. + +type: date + +example: 2021-01-01T12:10:30Z + +-- + *`threat.indicator.file.code_signature.trusted`*:: + -- @@ -10734,6 +10979,19 @@ example: png -- +*`threat.indicator.file.fork_name`*:: ++ +-- +A fork is additional data associated with a filesystem object. +On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist. +On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name. + +type: keyword + +example: Zone.Identifer + +-- + *`threat.indicator.file.gid`*:: + -- @@ -10756,6 +11014,51 @@ example: alice -- +*`threat.indicator.file.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`threat.indicator.file.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`threat.indicator.file.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`threat.indicator.file.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + +*`threat.indicator.file.hash.ssdeep`*:: ++ +-- +SSDEEP hash. + +type: keyword + +-- + *`threat.indicator.file.inode`*:: + -- @@ -10832,7 +11135,85 @@ example: /home/alice/example.png *`threat.indicator.file.path.text`*:: + -- -type: text +type: match_only_text + +-- + +*`threat.indicator.file.pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + +*`threat.indicator.file.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`threat.indicator.file.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`threat.indicator.file.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`threat.indicator.file.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + +*`threat.indicator.file.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`threat.indicator.file.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System -- @@ -10860,7 +11241,7 @@ type: keyword *`threat.indicator.file.target_path.text`*:: + -- -type: text +type: match_only_text -- @@ -11021,51 +11402,6 @@ example: America/Argentina/Buenos_Aires -- -*`threat.indicator.hash.md5`*:: -+ --- -MD5 hash. - -type: keyword - --- - -*`threat.indicator.hash.sha1`*:: -+ --- -SHA1 hash. - -type: keyword - --- - -*`threat.indicator.hash.sha256`*:: -+ --- -SHA256 hash. - -type: keyword - --- - -*`threat.indicator.hash.sha512`*:: -+ --- -SHA512 hash. - -type: keyword - --- - -*`threat.indicator.hash.ssdeep`*:: -+ --- -SSDEEP hash. - -type: keyword - --- - *`threat.indicator.ip`*:: + -- @@ -11115,84 +11451,6 @@ example: 2020-11-05T17:25:47.000Z -- -*`threat.indicator.pe.architecture`*:: -+ --- -CPU architecture target for the file. - -type: keyword - -example: x64 - --- - -*`threat.indicator.pe.company`*:: -+ --- -Internal company name of the file, provided at compile-time. - -type: keyword - -example: Microsoft Corporation - --- - -*`threat.indicator.pe.description`*:: -+ --- -Internal description of the file, provided at compile-time. - -type: keyword - -example: Paint - --- - -*`threat.indicator.pe.file_version`*:: -+ --- -Internal version of the file, provided at compile-time. - -type: keyword - -example: 6.3.9600.17415 - --- - -*`threat.indicator.pe.imphash`*:: -+ --- -A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. -Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. - -type: keyword - -example: 0c6803c4e922103c4dca5963aad36ddf - --- - -*`threat.indicator.pe.original_file_name`*:: -+ --- -Internal name of the file, provided at compile-time. - -type: keyword - -example: MSPAINT.EXE - --- - -*`threat.indicator.pe.product`*:: -+ --- -Internal product name of the file, provided at compile-time. - -type: keyword - -example: Microsoft® Windows® Operating System - --- - *`threat.indicator.port`*:: + -- @@ -11244,7 +11502,7 @@ example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). -type: keyword +type: wildcard example: ["C:\rta\red_ttp\bin\myapp.exe"] @@ -11398,7 +11656,7 @@ type: keyword -- If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. -type: keyword +type: wildcard example: https://www.elastic.co:443/search?q=elasticsearch#top @@ -11407,7 +11665,7 @@ example: https://www.elastic.co:443/search?q=elasticsearch#top *`threat.indicator.url.full.text`*:: + -- -type: text +type: match_only_text -- @@ -11418,7 +11676,7 @@ Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. -type: keyword +type: wildcard example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch @@ -11427,7 +11685,7 @@ example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elas *`threat.indicator.url.original.text`*:: + -- -type: text +type: match_only_text -- @@ -11445,7 +11703,7 @@ type: keyword -- Path of the request, such as "/search". -type: keyword +type: wildcard -- @@ -11794,10 +12052,23 @@ example: 3 -- +*`threat.software.alias`*:: ++ +-- +The alias(es) of the software for a set of related intrusion activity that are tracked by a common name in the security community. +While not required, you can use a MITRE ATT&CK® associated software description. + +type: keyword + +example: [ "X-Agent" ] + +-- + *`threat.software.id`*:: + -- -The id of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software id. +The id of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. +While not required, you can use a MITRE ATT&CK® software id. type: keyword @@ -11808,7 +12079,8 @@ example: S0552 *`threat.software.name`*:: + -- -The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software name. +The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. +While not required, you can use a MITRE ATT&CK® software name. type: keyword @@ -11819,7 +12091,7 @@ example: AdFind *`threat.software.platforms`*:: + -- -The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software platforms. +The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. Recommended Values: * AWS * Azure @@ -11832,6 +12104,8 @@ Recommended Values: * SaaS * Windows +While not required, you can use a MITRE ATT&CK® software platforms. + type: keyword example: [ "Windows" ] @@ -11841,7 +12115,8 @@ example: [ "Windows" ] *`threat.software.reference`*:: + -- -The reference URL of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software reference URL. +The reference URL of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. +While not required, you can use a MITRE ATT&CK® software reference URL. type: keyword @@ -11852,11 +12127,13 @@ example: https://attack.mitre.org/software/S0552/ *`threat.software.type`*:: + -- -The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software type. +The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. Recommended values * Malware * Tool + While not required, you can use a MITRE ATT&CK® software type. + type: keyword example: Tool @@ -11921,7 +12198,7 @@ example: Command and Scripting Interpreter *`threat.technique.name.text`*:: + -- -type: text +type: match_only_text -- @@ -11961,7 +12238,7 @@ example: PowerShell *`threat.technique.subtechnique.name.text`*:: + -- -type: text +type: match_only_text -- @@ -12909,7 +13186,7 @@ type: keyword -- If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. -type: keyword +type: wildcard example: https://www.elastic.co:443/search?q=elasticsearch#top @@ -12918,7 +13195,7 @@ example: https://www.elastic.co:443/search?q=elasticsearch#top *`url.full.text`*:: + -- -type: text +type: match_only_text -- @@ -12929,7 +13206,7 @@ Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. -type: keyword +type: wildcard example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch @@ -12938,7 +13215,7 @@ example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elas *`url.original.text`*:: + -- -type: text +type: match_only_text -- @@ -12956,7 +13233,7 @@ type: keyword -- Path of the request, such as "/search". -type: keyword +type: wildcard -- @@ -13081,7 +13358,7 @@ example: Albert Einstein *`user.changes.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -13130,6 +13407,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`user.changes.name`*:: @@ -13139,14 +13418,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`user.changes.name.text`*:: + -- -type: text +type: match_only_text -- @@ -13204,7 +13483,7 @@ example: Albert Einstein *`user.effective.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -13253,6 +13532,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`user.effective.name`*:: @@ -13262,14 +13543,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`user.effective.name.text`*:: + -- -type: text +type: match_only_text -- @@ -13307,7 +13588,7 @@ example: Albert Einstein *`user.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -13356,6 +13637,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`user.name`*:: @@ -13365,14 +13648,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`user.name.text`*:: + -- -type: text +type: match_only_text -- @@ -13420,7 +13703,7 @@ example: Albert Einstein *`user.target.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -13469,6 +13752,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`user.target.name`*:: @@ -13478,14 +13763,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`user.target.name.text`*:: + -- -type: text +type: match_only_text -- @@ -13543,7 +13828,7 @@ example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605. *`user_agent.original.text`*:: + -- -type: text +type: match_only_text -- @@ -13572,7 +13857,7 @@ example: Mac OS Mojave *`user_agent.os.full.text`*:: + -- -type: text +type: match_only_text -- @@ -13601,7 +13886,7 @@ example: Mac OS X *`user_agent.os.name.text`*:: + -- -type: text +type: match_only_text -- @@ -13725,7 +14010,7 @@ example: In macOS before 2.12.6, there is a vulnerability in the RPC... *`vulnerability.description.text`*:: + -- -type: text +type: match_only_text -- diff --git a/winlogbeat/include/fields.go b/winlogbeat/include/fields.go index a304a77e9b00..3028ffa5f955 100644 --- a/winlogbeat/include/fields.go +++ b/winlogbeat/include/fields.go @@ -32,5 +32,5 @@ func init() { // AssetBuildFieldsFieldsCommonYml returns asset data. // This is the base64 encoded zlib format compressed contents of build/fields/fields.common.yml. func AssetBuildFieldsFieldsCommonYml() string { - return "" + return "" } diff --git a/x-pack/filebeat/module/activemq/audit/config/audit.yml b/x-pack/filebeat/module/activemq/audit/config/audit.yml index 54bf51f6f36c..de8ef56f13f9 100644 --- a/x-pack/filebeat/module/activemq/audit/config/audit.yml +++ b/x-pack/filebeat/module/activemq/audit/config/audit.yml @@ -9,4 +9,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/activemq/log/config/log.yml b/x-pack/filebeat/module/activemq/log/config/log.yml index 2d4b0b52695f..90ba8d0e2d1c 100644 --- a/x-pack/filebeat/module/activemq/log/config/log.yml +++ b/x-pack/filebeat/module/activemq/log/config/log.yml @@ -13,4 +13,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/aws/cloudtrail/config/aws-s3.yml b/x-pack/filebeat/module/aws/cloudtrail/config/aws-s3.yml index 97cde2469aea..6134344678ec 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/config/aws-s3.yml +++ b/x-pack/filebeat/module/aws/cloudtrail/config/aws-s3.yml @@ -83,4 +83,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/aws/cloudtrail/config/file.yml b/x-pack/filebeat/module/aws/cloudtrail/config/file.yml index b5b74f729028..cc93e8e7af0a 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/config/file.yml +++ b/x-pack/filebeat/module/aws/cloudtrail/config/file.yml @@ -11,4 +11,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/aws/cloudwatch/config/aws-s3.yml b/x-pack/filebeat/module/aws/cloudwatch/config/aws-s3.yml index 617e9a46bc13..c98582c21ea5 100644 --- a/x-pack/filebeat/module/aws/cloudwatch/config/aws-s3.yml +++ b/x-pack/filebeat/module/aws/cloudwatch/config/aws-s3.yml @@ -69,4 +69,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/aws/cloudwatch/config/file.yml b/x-pack/filebeat/module/aws/cloudwatch/config/file.yml index b5b74f729028..cc93e8e7af0a 100644 --- a/x-pack/filebeat/module/aws/cloudwatch/config/file.yml +++ b/x-pack/filebeat/module/aws/cloudwatch/config/file.yml @@ -11,4 +11,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/aws/ec2/config/aws-s3.yml b/x-pack/filebeat/module/aws/ec2/config/aws-s3.yml index 617e9a46bc13..c98582c21ea5 100644 --- a/x-pack/filebeat/module/aws/ec2/config/aws-s3.yml +++ b/x-pack/filebeat/module/aws/ec2/config/aws-s3.yml @@ -69,4 +69,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/aws/ec2/config/file.yml b/x-pack/filebeat/module/aws/ec2/config/file.yml index b5b74f729028..cc93e8e7af0a 100644 --- a/x-pack/filebeat/module/aws/ec2/config/file.yml +++ b/x-pack/filebeat/module/aws/ec2/config/file.yml @@ -11,4 +11,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/aws/elb/config/aws-s3.yml b/x-pack/filebeat/module/aws/elb/config/aws-s3.yml index 617e9a46bc13..c98582c21ea5 100644 --- a/x-pack/filebeat/module/aws/elb/config/aws-s3.yml +++ b/x-pack/filebeat/module/aws/elb/config/aws-s3.yml @@ -69,4 +69,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/aws/elb/config/file.yml b/x-pack/filebeat/module/aws/elb/config/file.yml index cee792b4ad27..f7528eb63e21 100644 --- a/x-pack/filebeat/module/aws/elb/config/file.yml +++ b/x-pack/filebeat/module/aws/elb/config/file.yml @@ -11,4 +11,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/aws/s3access/config/aws-s3.yml b/x-pack/filebeat/module/aws/s3access/config/aws-s3.yml index 617e9a46bc13..c98582c21ea5 100644 --- a/x-pack/filebeat/module/aws/s3access/config/aws-s3.yml +++ b/x-pack/filebeat/module/aws/s3access/config/aws-s3.yml @@ -69,4 +69,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/aws/s3access/config/file.yml b/x-pack/filebeat/module/aws/s3access/config/file.yml index cee792b4ad27..f7528eb63e21 100644 --- a/x-pack/filebeat/module/aws/s3access/config/file.yml +++ b/x-pack/filebeat/module/aws/s3access/config/file.yml @@ -11,4 +11,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/aws/vpcflow/ingest/pipeline.yml b/x-pack/filebeat/module/aws/vpcflow/ingest/pipeline.yml index 660ce87ab13b..d4d98f083966 100644 --- a/x-pack/filebeat/module/aws/vpcflow/ingest/pipeline.yml +++ b/x-pack/filebeat/module/aws/vpcflow/ingest/pipeline.yml @@ -7,7 +7,7 @@ processors: value: '{{_ingest.timestamp}}' - set: field: ecs.version - value: '1.11.0' + value: '1.12.0' - rename: field: message target_field: event.original diff --git a/x-pack/filebeat/module/awsfargate/log/config/aws-cloudwatch.yml b/x-pack/filebeat/module/awsfargate/log/config/aws-cloudwatch.yml index 6e10399de8cf..f7f3199028c4 100644 --- a/x-pack/filebeat/module/awsfargate/log/config/aws-cloudwatch.yml +++ b/x-pack/filebeat/module/awsfargate/log/config/aws-cloudwatch.yml @@ -60,4 +60,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/awsfargate/log/config/file.yml b/x-pack/filebeat/module/awsfargate/log/config/file.yml index c03faf9d8f4b..63092c3db35d 100644 --- a/x-pack/filebeat/module/awsfargate/log/config/file.yml +++ b/x-pack/filebeat/module/awsfargate/log/config/file.yml @@ -8,4 +8,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/azure/activitylogs/config/azure-eventhub.yml b/x-pack/filebeat/module/azure/activitylogs/config/azure-eventhub.yml index aa494fa80dc4..cba3e7608f95 100644 --- a/x-pack/filebeat/module/azure/activitylogs/config/azure-eventhub.yml +++ b/x-pack/filebeat/module/azure/activitylogs/config/azure-eventhub.yml @@ -31,4 +31,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/azure/activitylogs/config/file.yml b/x-pack/filebeat/module/azure/activitylogs/config/file.yml index cee792b4ad27..f7528eb63e21 100644 --- a/x-pack/filebeat/module/azure/activitylogs/config/file.yml +++ b/x-pack/filebeat/module/azure/activitylogs/config/file.yml @@ -11,4 +11,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/azure/auditlogs/config/azure-eventhub.yml b/x-pack/filebeat/module/azure/auditlogs/config/azure-eventhub.yml index 4d165a4bf915..0a579c2ee5bc 100644 --- a/x-pack/filebeat/module/azure/auditlogs/config/azure-eventhub.yml +++ b/x-pack/filebeat/module/azure/auditlogs/config/azure-eventhub.yml @@ -30,4 +30,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/azure/auditlogs/config/file.yml b/x-pack/filebeat/module/azure/auditlogs/config/file.yml index a55c42846179..1888fdafff7e 100644 --- a/x-pack/filebeat/module/azure/auditlogs/config/file.yml +++ b/x-pack/filebeat/module/azure/auditlogs/config/file.yml @@ -10,4 +10,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/azure/platformlogs/config/azure-eventhub.yml b/x-pack/filebeat/module/azure/platformlogs/config/azure-eventhub.yml index a9ecd78495df..2d1d2e56f33d 100644 --- a/x-pack/filebeat/module/azure/platformlogs/config/azure-eventhub.yml +++ b/x-pack/filebeat/module/azure/platformlogs/config/azure-eventhub.yml @@ -31,4 +31,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/azure/platformlogs/config/file.yml b/x-pack/filebeat/module/azure/platformlogs/config/file.yml index cee792b4ad27..f7528eb63e21 100644 --- a/x-pack/filebeat/module/azure/platformlogs/config/file.yml +++ b/x-pack/filebeat/module/azure/platformlogs/config/file.yml @@ -11,4 +11,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/azure/signinlogs/config/azure-eventhub.yml b/x-pack/filebeat/module/azure/signinlogs/config/azure-eventhub.yml index d713eaf654fc..4c6c63dbf950 100644 --- a/x-pack/filebeat/module/azure/signinlogs/config/azure-eventhub.yml +++ b/x-pack/filebeat/module/azure/signinlogs/config/azure-eventhub.yml @@ -30,4 +30,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/azure/signinlogs/config/file.yml b/x-pack/filebeat/module/azure/signinlogs/config/file.yml index a55c42846179..1888fdafff7e 100644 --- a/x-pack/filebeat/module/azure/signinlogs/config/file.yml +++ b/x-pack/filebeat/module/azure/signinlogs/config/file.yml @@ -10,4 +10,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/barracuda/spamfirewall/config/input.yml b/x-pack/filebeat/module/barracuda/spamfirewall/config/input.yml index d9b2ac16743d..af85938cf9cf 100644 --- a/x-pack/filebeat/module/barracuda/spamfirewall/config/input.yml +++ b/x-pack/filebeat/module/barracuda/spamfirewall/config/input.yml @@ -84,4 +84,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/barracuda/waf/config/input.yml b/x-pack/filebeat/module/barracuda/waf/config/input.yml index c487ff209eae..a4c5ddb1b83e 100644 --- a/x-pack/filebeat/module/barracuda/waf/config/input.yml +++ b/x-pack/filebeat/module/barracuda/waf/config/input.yml @@ -84,4 +84,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/bluecoat/director/config/input.yml b/x-pack/filebeat/module/bluecoat/director/config/input.yml index da7e0c1fda25..01d5592b7ccf 100644 --- a/x-pack/filebeat/module/bluecoat/director/config/input.yml +++ b/x-pack/filebeat/module/bluecoat/director/config/input.yml @@ -84,4 +84,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/cef/log/config/input.yml b/x-pack/filebeat/module/cef/log/config/input.yml index a42adbd28130..4872f3c46b96 100644 --- a/x-pack/filebeat/module/cef/log/config/input.yml +++ b/x-pack/filebeat/module/cef/log/config/input.yml @@ -31,7 +31,7 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 {{ if .external_zones }} - add_fields: diff --git a/x-pack/filebeat/module/checkpoint/firewall/config/firewall.yml b/x-pack/filebeat/module/checkpoint/firewall/config/firewall.yml index b4f258a3d919..a82ed1c39c43 100644 --- a/x-pack/filebeat/module/checkpoint/firewall/config/firewall.yml +++ b/x-pack/filebeat/module/checkpoint/firewall/config/firewall.yml @@ -28,7 +28,7 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 {{ if .external_zones }} - add_fields: target: _temp_ diff --git a/x-pack/filebeat/module/cisco/amp/config/config.yml b/x-pack/filebeat/module/cisco/amp/config/config.yml index 4a6f2660fe24..e125fb7dc2cf 100644 --- a/x-pack/filebeat/module/cisco/amp/config/config.yml +++ b/x-pack/filebeat/module/cisco/amp/config/config.yml @@ -77,4 +77,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/cisco/asa/config/input.yml b/x-pack/filebeat/module/cisco/asa/config/input.yml index bf9948986959..4237b4d9ae21 100644 --- a/x-pack/filebeat/module/cisco/asa/config/input.yml +++ b/x-pack/filebeat/module/cisco/asa/config/input.yml @@ -23,7 +23,7 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 {{ if .external_zones }} - add_fields: diff --git a/x-pack/filebeat/module/cisco/ftd/config/input.yml b/x-pack/filebeat/module/cisco/ftd/config/input.yml index b65316895eb3..b29aa4c725f7 100644 --- a/x-pack/filebeat/module/cisco/ftd/config/input.yml +++ b/x-pack/filebeat/module/cisco/ftd/config/input.yml @@ -22,7 +22,7 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 {{ if .external_zones }} - add_fields: diff --git a/x-pack/filebeat/module/cisco/ios/config/input.yml b/x-pack/filebeat/module/cisco/ios/config/input.yml index 7051700ed126..d911aa3ed9e2 100644 --- a/x-pack/filebeat/module/cisco/ios/config/input.yml +++ b/x-pack/filebeat/module/cisco/ios/config/input.yml @@ -23,7 +23,7 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 - script: lang: javascript id: cisco_ios diff --git a/x-pack/filebeat/module/cisco/meraki/config/input.yml b/x-pack/filebeat/module/cisco/meraki/config/input.yml index 61a9c86030c3..6a02d794ecf9 100644 --- a/x-pack/filebeat/module/cisco/meraki/config/input.yml +++ b/x-pack/filebeat/module/cisco/meraki/config/input.yml @@ -84,4 +84,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/cisco/nexus/config/input.yml b/x-pack/filebeat/module/cisco/nexus/config/input.yml index 85aa928d6143..096b3882b87d 100644 --- a/x-pack/filebeat/module/cisco/nexus/config/input.yml +++ b/x-pack/filebeat/module/cisco/nexus/config/input.yml @@ -84,4 +84,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/cisco/umbrella/config/input.yml b/x-pack/filebeat/module/cisco/umbrella/config/input.yml index 992b25ac829c..25a1aaef5724 100644 --- a/x-pack/filebeat/module/cisco/umbrella/config/input.yml +++ b/x-pack/filebeat/module/cisco/umbrella/config/input.yml @@ -22,4 +22,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/coredns/log/config/coredns.yml b/x-pack/filebeat/module/coredns/log/config/coredns.yml index abd735b999e0..ff3abb123d4d 100644 --- a/x-pack/filebeat/module/coredns/log/config/coredns.yml +++ b/x-pack/filebeat/module/coredns/log/config/coredns.yml @@ -9,4 +9,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/crowdstrike/falcon/config/falcon.yml b/x-pack/filebeat/module/crowdstrike/falcon/config/falcon.yml index 6ec311ed2bd0..2c4e95d90894 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/config/falcon.yml +++ b/x-pack/filebeat/module/crowdstrike/falcon/config/falcon.yml @@ -30,4 +30,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/cyberarkpas/audit/config/input.yml b/x-pack/filebeat/module/cyberarkpas/audit/config/input.yml index 1f398b2ce16c..4348d99a9f65 100644 --- a/x-pack/filebeat/module/cyberarkpas/audit/config/input.yml +++ b/x-pack/filebeat/module/cyberarkpas/audit/config/input.yml @@ -29,4 +29,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/cylance/protect/config/input.yml b/x-pack/filebeat/module/cylance/protect/config/input.yml index 2481a0b42b09..8a3fc7172e20 100644 --- a/x-pack/filebeat/module/cylance/protect/config/input.yml +++ b/x-pack/filebeat/module/cylance/protect/config/input.yml @@ -84,4 +84,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/envoyproxy/log/config/envoyproxy.yml b/x-pack/filebeat/module/envoyproxy/log/config/envoyproxy.yml index abd735b999e0..ff3abb123d4d 100644 --- a/x-pack/filebeat/module/envoyproxy/log/config/envoyproxy.yml +++ b/x-pack/filebeat/module/envoyproxy/log/config/envoyproxy.yml @@ -9,4 +9,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/f5/bigipafm/config/input.yml b/x-pack/filebeat/module/f5/bigipafm/config/input.yml index c7222c475dcf..4a241639655f 100644 --- a/x-pack/filebeat/module/f5/bigipafm/config/input.yml +++ b/x-pack/filebeat/module/f5/bigipafm/config/input.yml @@ -84,4 +84,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/f5/bigipapm/config/input.yml b/x-pack/filebeat/module/f5/bigipapm/config/input.yml index 1791f2617cae..94330616cdce 100644 --- a/x-pack/filebeat/module/f5/bigipapm/config/input.yml +++ b/x-pack/filebeat/module/f5/bigipapm/config/input.yml @@ -84,4 +84,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/config/input.yml b/x-pack/filebeat/module/fortinet/clientendpoint/config/input.yml index 408f00c7e0b5..5505a5c6f032 100644 --- a/x-pack/filebeat/module/fortinet/clientendpoint/config/input.yml +++ b/x-pack/filebeat/module/fortinet/clientendpoint/config/input.yml @@ -90,4 +90,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/fortinet/firewall/config/firewall.yml b/x-pack/filebeat/module/fortinet/firewall/config/firewall.yml index 59df92ad04bc..debef17bb199 100644 --- a/x-pack/filebeat/module/fortinet/firewall/config/firewall.yml +++ b/x-pack/filebeat/module/fortinet/firewall/config/firewall.yml @@ -29,7 +29,7 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 {{ if .external_interfaces }} - add_fields: diff --git a/x-pack/filebeat/module/fortinet/fortimail/config/input.yml b/x-pack/filebeat/module/fortinet/fortimail/config/input.yml index 6c1dcd03354d..f56d1508955b 100644 --- a/x-pack/filebeat/module/fortinet/fortimail/config/input.yml +++ b/x-pack/filebeat/module/fortinet/fortimail/config/input.yml @@ -84,4 +84,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/fortinet/fortimanager/config/input.yml b/x-pack/filebeat/module/fortinet/fortimanager/config/input.yml index 1505f60465f8..b9d0a0ad7974 100644 --- a/x-pack/filebeat/module/fortinet/fortimanager/config/input.yml +++ b/x-pack/filebeat/module/fortinet/fortimanager/config/input.yml @@ -84,4 +84,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/gcp/audit/config/input.yml b/x-pack/filebeat/module/gcp/audit/config/input.yml index 793801abaec2..a33db9558427 100644 --- a/x-pack/filebeat/module/gcp/audit/config/input.yml +++ b/x-pack/filebeat/module/gcp/audit/config/input.yml @@ -34,4 +34,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/gcp/firewall/config/input.yml b/x-pack/filebeat/module/gcp/firewall/config/input.yml index 1974fd846e4c..cabd018e55c4 100644 --- a/x-pack/filebeat/module/gcp/firewall/config/input.yml +++ b/x-pack/filebeat/module/gcp/firewall/config/input.yml @@ -38,4 +38,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/gcp/vpcflow/config/input.yml b/x-pack/filebeat/module/gcp/vpcflow/config/input.yml index 4d4fc036eb41..52decb731314 100644 --- a/x-pack/filebeat/module/gcp/vpcflow/config/input.yml +++ b/x-pack/filebeat/module/gcp/vpcflow/config/input.yml @@ -37,4 +37,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/google_workspace/admin/config/config.yml b/x-pack/filebeat/module/google_workspace/admin/config/config.yml index c7513dd0ca76..6cb67fd728e4 100644 --- a/x-pack/filebeat/module/google_workspace/admin/config/config.yml +++ b/x-pack/filebeat/module/google_workspace/admin/config/config.yml @@ -49,7 +49,7 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 - script: lang: javascript id: gworkspace-common diff --git a/x-pack/filebeat/module/google_workspace/drive/config/config.yml b/x-pack/filebeat/module/google_workspace/drive/config/config.yml index 3ec2bb5493ac..941e9cb4383e 100644 --- a/x-pack/filebeat/module/google_workspace/drive/config/config.yml +++ b/x-pack/filebeat/module/google_workspace/drive/config/config.yml @@ -49,7 +49,7 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 - script: lang: javascript id: gworkspace-common diff --git a/x-pack/filebeat/module/google_workspace/groups/config/config.yml b/x-pack/filebeat/module/google_workspace/groups/config/config.yml index 7e5d1cfa8bf9..62833d56d58d 100644 --- a/x-pack/filebeat/module/google_workspace/groups/config/config.yml +++ b/x-pack/filebeat/module/google_workspace/groups/config/config.yml @@ -49,7 +49,7 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 - script: lang: javascript id: gworkspace-common diff --git a/x-pack/filebeat/module/google_workspace/login/config/config.yml b/x-pack/filebeat/module/google_workspace/login/config/config.yml index 0dc25e57c612..09de8ef45d14 100644 --- a/x-pack/filebeat/module/google_workspace/login/config/config.yml +++ b/x-pack/filebeat/module/google_workspace/login/config/config.yml @@ -49,7 +49,7 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 - script: lang: javascript id: gworkspace-common diff --git a/x-pack/filebeat/module/google_workspace/saml/config/config.yml b/x-pack/filebeat/module/google_workspace/saml/config/config.yml index 9e35d53de127..87c754e51076 100644 --- a/x-pack/filebeat/module/google_workspace/saml/config/config.yml +++ b/x-pack/filebeat/module/google_workspace/saml/config/config.yml @@ -49,7 +49,7 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 - script: lang: javascript id: gworkspace-common diff --git a/x-pack/filebeat/module/google_workspace/user_accounts/config/config.yml b/x-pack/filebeat/module/google_workspace/user_accounts/config/config.yml index ed061bbcb3ac..4807b79e8ed7 100644 --- a/x-pack/filebeat/module/google_workspace/user_accounts/config/config.yml +++ b/x-pack/filebeat/module/google_workspace/user_accounts/config/config.yml @@ -49,7 +49,7 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 - script: lang: javascript id: gworkspace-common diff --git a/x-pack/filebeat/module/ibmmq/errorlog/config/errorlog.yml b/x-pack/filebeat/module/ibmmq/errorlog/config/errorlog.yml index 8f2772da572e..a74fc5abd3cc 100644 --- a/x-pack/filebeat/module/ibmmq/errorlog/config/errorlog.yml +++ b/x-pack/filebeat/module/ibmmq/errorlog/config/errorlog.yml @@ -12,4 +12,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/imperva/securesphere/config/input.yml b/x-pack/filebeat/module/imperva/securesphere/config/input.yml index 2ee938dafaaa..ded2efcd6528 100644 --- a/x-pack/filebeat/module/imperva/securesphere/config/input.yml +++ b/x-pack/filebeat/module/imperva/securesphere/config/input.yml @@ -84,4 +84,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/infoblox/nios/config/input.yml b/x-pack/filebeat/module/infoblox/nios/config/input.yml index 6f709ed1a03d..f475dd2fca64 100644 --- a/x-pack/filebeat/module/infoblox/nios/config/input.yml +++ b/x-pack/filebeat/module/infoblox/nios/config/input.yml @@ -84,4 +84,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/iptables/log/config/input.yml b/x-pack/filebeat/module/iptables/log/config/input.yml index 91543102840c..d573753588a4 100644 --- a/x-pack/filebeat/module/iptables/log/config/input.yml +++ b/x-pack/filebeat/module/iptables/log/config/input.yml @@ -23,4 +23,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/juniper/junos/config/input.yml b/x-pack/filebeat/module/juniper/junos/config/input.yml index 9effa806f38d..117a222475f9 100644 --- a/x-pack/filebeat/module/juniper/junos/config/input.yml +++ b/x-pack/filebeat/module/juniper/junos/config/input.yml @@ -84,4 +84,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/juniper/netscreen/config/input.yml b/x-pack/filebeat/module/juniper/netscreen/config/input.yml index 74d55d6cd278..a37550ca8367 100644 --- a/x-pack/filebeat/module/juniper/netscreen/config/input.yml +++ b/x-pack/filebeat/module/juniper/netscreen/config/input.yml @@ -84,4 +84,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/juniper/srx/config/srx.yml b/x-pack/filebeat/module/juniper/srx/config/srx.yml index ac98955f37a8..a807ab0d5ce8 100644 --- a/x-pack/filebeat/module/juniper/srx/config/srx.yml +++ b/x-pack/filebeat/module/juniper/srx/config/srx.yml @@ -28,4 +28,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/microsoft/defender_atp/config/atp.yml b/x-pack/filebeat/module/microsoft/defender_atp/config/atp.yml index 45f08a2f37c4..937cc6cbf064 100644 --- a/x-pack/filebeat/module/microsoft/defender_atp/config/atp.yml +++ b/x-pack/filebeat/module/microsoft/defender_atp/config/atp.yml @@ -58,4 +58,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/microsoft/dhcp/config/input.yml b/x-pack/filebeat/module/microsoft/dhcp/config/input.yml index 81d105112060..1c7ee86cc9d4 100644 --- a/x-pack/filebeat/module/microsoft/dhcp/config/input.yml +++ b/x-pack/filebeat/module/microsoft/dhcp/config/input.yml @@ -84,4 +84,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/microsoft/m365_defender/config/defender.yml b/x-pack/filebeat/module/microsoft/m365_defender/config/defender.yml index 11ef9ba2861b..0e5df8243808 100644 --- a/x-pack/filebeat/module/microsoft/m365_defender/config/defender.yml +++ b/x-pack/filebeat/module/microsoft/m365_defender/config/defender.yml @@ -56,4 +56,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/misp/threat/config/input.yml b/x-pack/filebeat/module/misp/threat/config/input.yml index 40d66184f461..7577ee3e9322 100644 --- a/x-pack/filebeat/module/misp/threat/config/input.yml +++ b/x-pack/filebeat/module/misp/threat/config/input.yml @@ -59,4 +59,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/mssql/log/config/config.yml b/x-pack/filebeat/module/mssql/log/config/config.yml index dc9c59e66a93..458694257acf 100644 --- a/x-pack/filebeat/module/mssql/log/config/config.yml +++ b/x-pack/filebeat/module/mssql/log/config/config.yml @@ -14,4 +14,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/mysqlenterprise/audit/config/config.yml b/x-pack/filebeat/module/mysqlenterprise/audit/config/config.yml index 4b448893ee6d..565757b95885 100644 --- a/x-pack/filebeat/module/mysqlenterprise/audit/config/config.yml +++ b/x-pack/filebeat/module/mysqlenterprise/audit/config/config.yml @@ -13,4 +13,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/netflow/log/config/netflow.yml b/x-pack/filebeat/module/netflow/log/config/netflow.yml index c79cd1881eaa..995040c25212 100644 --- a/x-pack/filebeat/module/netflow/log/config/netflow.yml +++ b/x-pack/filebeat/module/netflow/log/config/netflow.yml @@ -36,4 +36,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/netscout/sightline/config/input.yml b/x-pack/filebeat/module/netscout/sightline/config/input.yml index 0c0ddde3eb32..677a2b3462e6 100644 --- a/x-pack/filebeat/module/netscout/sightline/config/input.yml +++ b/x-pack/filebeat/module/netscout/sightline/config/input.yml @@ -84,4 +84,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/o365/audit/config/input.yml b/x-pack/filebeat/module/o365/audit/config/input.yml index e0e1e08fecc3..aebb7ffde571 100644 --- a/x-pack/filebeat/module/o365/audit/config/input.yml +++ b/x-pack/filebeat/module/o365/audit/config/input.yml @@ -67,4 +67,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/okta/system/config/input.yml b/x-pack/filebeat/module/okta/system/config/input.yml index 81742c895019..f112eec39166 100644 --- a/x-pack/filebeat/module/okta/system/config/input.yml +++ b/x-pack/filebeat/module/okta/system/config/input.yml @@ -69,4 +69,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/oracle/database_audit/config/config.yml b/x-pack/filebeat/module/oracle/database_audit/config/config.yml index e1bb311618b9..3f86e2bf98ef 100644 --- a/x-pack/filebeat/module/oracle/database_audit/config/config.yml +++ b/x-pack/filebeat/module/oracle/database_audit/config/config.yml @@ -18,4 +18,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/panw/panos/config/input.yml b/x-pack/filebeat/module/panw/panos/config/input.yml index 1306db7578da..0d475a1d4a66 100644 --- a/x-pack/filebeat/module/panw/panos/config/input.yml +++ b/x-pack/filebeat/module/panw/panos/config/input.yml @@ -330,4 +330,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/proofpoint/emailsecurity/config/input.yml b/x-pack/filebeat/module/proofpoint/emailsecurity/config/input.yml index d95176ae92c4..e339988e8dc9 100644 --- a/x-pack/filebeat/module/proofpoint/emailsecurity/config/input.yml +++ b/x-pack/filebeat/module/proofpoint/emailsecurity/config/input.yml @@ -84,4 +84,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/rabbitmq/log/config/log.yml b/x-pack/filebeat/module/rabbitmq/log/config/log.yml index 6b46f7f9a9e6..77cf8c4d433d 100644 --- a/x-pack/filebeat/module/rabbitmq/log/config/log.yml +++ b/x-pack/filebeat/module/rabbitmq/log/config/log.yml @@ -18,4 +18,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/radware/defensepro/config/input.yml b/x-pack/filebeat/module/radware/defensepro/config/input.yml index b7f1fdac37f6..929b596bbd9c 100644 --- a/x-pack/filebeat/module/radware/defensepro/config/input.yml +++ b/x-pack/filebeat/module/radware/defensepro/config/input.yml @@ -84,4 +84,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/snort/log/config/input.yml b/x-pack/filebeat/module/snort/log/config/input.yml index 3fe3e5d290d5..2678c7fa2718 100644 --- a/x-pack/filebeat/module/snort/log/config/input.yml +++ b/x-pack/filebeat/module/snort/log/config/input.yml @@ -84,4 +84,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/snyk/audit/config/config.yml b/x-pack/filebeat/module/snyk/audit/config/config.yml index 1339c20773f1..7ff98b032f24 100644 --- a/x-pack/filebeat/module/snyk/audit/config/config.yml +++ b/x-pack/filebeat/module/snyk/audit/config/config.yml @@ -78,4 +78,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/snyk/vulnerabilities/config/config.yml b/x-pack/filebeat/module/snyk/vulnerabilities/config/config.yml index f1b524743e88..90af60fbad03 100644 --- a/x-pack/filebeat/module/snyk/vulnerabilities/config/config.yml +++ b/x-pack/filebeat/module/snyk/vulnerabilities/config/config.yml @@ -101,4 +101,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/sonicwall/firewall/config/input.yml b/x-pack/filebeat/module/sonicwall/firewall/config/input.yml index c0aa0b109708..a90a84dc451b 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/config/input.yml +++ b/x-pack/filebeat/module/sonicwall/firewall/config/input.yml @@ -84,4 +84,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/sophos/utm/config/input.yml b/x-pack/filebeat/module/sophos/utm/config/input.yml index 6b3c2c220836..75119fa49201 100644 --- a/x-pack/filebeat/module/sophos/utm/config/input.yml +++ b/x-pack/filebeat/module/sophos/utm/config/input.yml @@ -84,4 +84,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/sophos/xg/config/config.yml b/x-pack/filebeat/module/sophos/xg/config/config.yml index fa3d3d9ddebf..1262aaf33c0e 100644 --- a/x-pack/filebeat/module/sophos/xg/config/config.yml +++ b/x-pack/filebeat/module/sophos/xg/config/config.yml @@ -27,7 +27,7 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 - add_fields: target: '_conf' fields: diff --git a/x-pack/filebeat/module/squid/log/config/input.yml b/x-pack/filebeat/module/squid/log/config/input.yml index eee289d2083f..fadcc7a49b8f 100644 --- a/x-pack/filebeat/module/squid/log/config/input.yml +++ b/x-pack/filebeat/module/squid/log/config/input.yml @@ -84,4 +84,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/suricata/eve/config/eve.yml b/x-pack/filebeat/module/suricata/eve/config/eve.yml index 54003d974693..d7e6034c5c06 100644 --- a/x-pack/filebeat/module/suricata/eve/config/eve.yml +++ b/x-pack/filebeat/module/suricata/eve/config/eve.yml @@ -65,4 +65,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/threatintel/abusemalware/config/config.yml b/x-pack/filebeat/module/threatintel/abusemalware/config/config.yml index b287f5bbdbd2..c699705e2685 100644 --- a/x-pack/filebeat/module/threatintel/abusemalware/config/config.yml +++ b/x-pack/filebeat/module/threatintel/abusemalware/config/config.yml @@ -44,4 +44,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/threatintel/abuseurl/config/config.yml b/x-pack/filebeat/module/threatintel/abuseurl/config/config.yml index afd9f83781d6..2da071910c2b 100644 --- a/x-pack/filebeat/module/threatintel/abuseurl/config/config.yml +++ b/x-pack/filebeat/module/threatintel/abuseurl/config/config.yml @@ -44,4 +44,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/threatintel/anomali/config/config.yml b/x-pack/filebeat/module/threatintel/anomali/config/config.yml index 74058d24c63a..3668a0b2f556 100644 --- a/x-pack/filebeat/module/threatintel/anomali/config/config.yml +++ b/x-pack/filebeat/module/threatintel/anomali/config/config.yml @@ -68,4 +68,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/threatintel/anomalithreatstream/config/config.yml b/x-pack/filebeat/module/threatintel/anomalithreatstream/config/config.yml index f6cb941d1458..f6cfe0243053 100644 --- a/x-pack/filebeat/module/threatintel/anomalithreatstream/config/config.yml +++ b/x-pack/filebeat/module/threatintel/anomalithreatstream/config/config.yml @@ -41,7 +41,7 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 - fingerprint: fields: - event.dataset diff --git a/x-pack/filebeat/module/threatintel/malwarebazaar/config/config.yml b/x-pack/filebeat/module/threatintel/malwarebazaar/config/config.yml index da2d8249ab0d..8426de172c55 100644 --- a/x-pack/filebeat/module/threatintel/malwarebazaar/config/config.yml +++ b/x-pack/filebeat/module/threatintel/malwarebazaar/config/config.yml @@ -50,4 +50,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/threatintel/misp/config/config.yml b/x-pack/filebeat/module/threatintel/misp/config/config.yml index 27b7ed0f49f3..aa5e6222d806 100644 --- a/x-pack/filebeat/module/threatintel/misp/config/config.yml +++ b/x-pack/filebeat/module/threatintel/misp/config/config.yml @@ -74,4 +74,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.10.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/threatintel/otx/config/config.yml b/x-pack/filebeat/module/threatintel/otx/config/config.yml index 49a8271baa96..04edde001645 100644 --- a/x-pack/filebeat/module/threatintel/otx/config/config.yml +++ b/x-pack/filebeat/module/threatintel/otx/config/config.yml @@ -69,4 +69,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/threatintel/recordedfuture/config/config.yml b/x-pack/filebeat/module/threatintel/recordedfuture/config/config.yml index 096126adf38c..aff04f461466 100644 --- a/x-pack/filebeat/module/threatintel/recordedfuture/config/config.yml +++ b/x-pack/filebeat/module/threatintel/recordedfuture/config/config.yml @@ -55,7 +55,7 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 - script: lang: javascript id: set_opt_type diff --git a/x-pack/filebeat/module/tomcat/log/config/input.yml b/x-pack/filebeat/module/tomcat/log/config/input.yml index a89774cee491..10a6921f961e 100644 --- a/x-pack/filebeat/module/tomcat/log/config/input.yml +++ b/x-pack/filebeat/module/tomcat/log/config/input.yml @@ -84,4 +84,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/zeek/capture_loss/config/capture_loss.yml b/x-pack/filebeat/module/zeek/capture_loss/config/capture_loss.yml index e708989f86e5..4b13416c0f26 100644 --- a/x-pack/filebeat/module/zeek/capture_loss/config/capture_loss.yml +++ b/x-pack/filebeat/module/zeek/capture_loss/config/capture_loss.yml @@ -22,4 +22,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/zeek/connection/config/connection.yml b/x-pack/filebeat/module/zeek/connection/config/connection.yml index 97ed4e16f3c8..168bdcdbef21 100644 --- a/x-pack/filebeat/module/zeek/connection/config/connection.yml +++ b/x-pack/filebeat/module/zeek/connection/config/connection.yml @@ -109,4 +109,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/zeek/dce_rpc/config/dce_rpc.yml b/x-pack/filebeat/module/zeek/dce_rpc/config/dce_rpc.yml index a433da46f21d..53c7e06aa54e 100644 --- a/x-pack/filebeat/module/zeek/dce_rpc/config/dce_rpc.yml +++ b/x-pack/filebeat/module/zeek/dce_rpc/config/dce_rpc.yml @@ -65,4 +65,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/zeek/dhcp/config/dhcp.yml b/x-pack/filebeat/module/zeek/dhcp/config/dhcp.yml index b6ded7496f84..d130d0e16f34 100644 --- a/x-pack/filebeat/module/zeek/dhcp/config/dhcp.yml +++ b/x-pack/filebeat/module/zeek/dhcp/config/dhcp.yml @@ -127,4 +127,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/zeek/dnp3/config/dnp3.yml b/x-pack/filebeat/module/zeek/dnp3/config/dnp3.yml index 482cb5f8a0c4..45dc4b5cbd56 100644 --- a/x-pack/filebeat/module/zeek/dnp3/config/dnp3.yml +++ b/x-pack/filebeat/module/zeek/dnp3/config/dnp3.yml @@ -75,4 +75,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/zeek/dns/config/dns.yml b/x-pack/filebeat/module/zeek/dns/config/dns.yml index c75c35f4c6d1..9c1982125cde 100644 --- a/x-pack/filebeat/module/zeek/dns/config/dns.yml +++ b/x-pack/filebeat/module/zeek/dns/config/dns.yml @@ -221,4 +221,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/zeek/dpd/config/dpd.yml b/x-pack/filebeat/module/zeek/dpd/config/dpd.yml index 23175b1b11f9..dce46b6a3c29 100644 --- a/x-pack/filebeat/module/zeek/dpd/config/dpd.yml +++ b/x-pack/filebeat/module/zeek/dpd/config/dpd.yml @@ -64,4 +64,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/zeek/files/config/files.yml b/x-pack/filebeat/module/zeek/files/config/files.yml index 375b01d7cc19..d5c0c7218659 100644 --- a/x-pack/filebeat/module/zeek/files/config/files.yml +++ b/x-pack/filebeat/module/zeek/files/config/files.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/zeek/ftp/config/ftp.yml b/x-pack/filebeat/module/zeek/ftp/config/ftp.yml index 9c11e8252aea..eebc9806239f 100644 --- a/x-pack/filebeat/module/zeek/ftp/config/ftp.yml +++ b/x-pack/filebeat/module/zeek/ftp/config/ftp.yml @@ -93,4 +93,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/zeek/http/config/http.yml b/x-pack/filebeat/module/zeek/http/config/http.yml index c1edcf259746..31c32d8a321c 100644 --- a/x-pack/filebeat/module/zeek/http/config/http.yml +++ b/x-pack/filebeat/module/zeek/http/config/http.yml @@ -102,4 +102,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/zeek/intel/config/intel.yml b/x-pack/filebeat/module/zeek/intel/config/intel.yml index bbf1b3089863..fcfb93c95163 100644 --- a/x-pack/filebeat/module/zeek/intel/config/intel.yml +++ b/x-pack/filebeat/module/zeek/intel/config/intel.yml @@ -74,4 +74,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/zeek/irc/config/irc.yml b/x-pack/filebeat/module/zeek/irc/config/irc.yml index d9d48900e0c0..344142e940dc 100644 --- a/x-pack/filebeat/module/zeek/irc/config/irc.yml +++ b/x-pack/filebeat/module/zeek/irc/config/irc.yml @@ -79,4 +79,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/zeek/kerberos/config/kerberos.yml b/x-pack/filebeat/module/zeek/kerberos/config/kerberos.yml index a9c7b2567e0c..40124c42af94 100644 --- a/x-pack/filebeat/module/zeek/kerberos/config/kerberos.yml +++ b/x-pack/filebeat/module/zeek/kerberos/config/kerberos.yml @@ -111,4 +111,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/zeek/modbus/config/modbus.yml b/x-pack/filebeat/module/zeek/modbus/config/modbus.yml index 8d22959c2c09..8b28acf4c739 100644 --- a/x-pack/filebeat/module/zeek/modbus/config/modbus.yml +++ b/x-pack/filebeat/module/zeek/modbus/config/modbus.yml @@ -80,4 +80,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/zeek/mysql/config/mysql.yml b/x-pack/filebeat/module/zeek/mysql/config/mysql.yml index 292286b0427e..bcd9c629aee3 100644 --- a/x-pack/filebeat/module/zeek/mysql/config/mysql.yml +++ b/x-pack/filebeat/module/zeek/mysql/config/mysql.yml @@ -79,4 +79,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/zeek/notice/config/notice.yml b/x-pack/filebeat/module/zeek/notice/config/notice.yml index 9482399abf1a..8c2ed9f85c91 100644 --- a/x-pack/filebeat/module/zeek/notice/config/notice.yml +++ b/x-pack/filebeat/module/zeek/notice/config/notice.yml @@ -111,4 +111,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/zeek/ntlm/config/ntlm.yml b/x-pack/filebeat/module/zeek/ntlm/config/ntlm.yml index 822d08ef0c93..e87ad452507f 100644 --- a/x-pack/filebeat/module/zeek/ntlm/config/ntlm.yml +++ b/x-pack/filebeat/module/zeek/ntlm/config/ntlm.yml @@ -93,4 +93,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/zeek/ntp/config/ntp.yml b/x-pack/filebeat/module/zeek/ntp/config/ntp.yml index 6763fb4b2a69..0a985115882a 100644 --- a/x-pack/filebeat/module/zeek/ntp/config/ntp.yml +++ b/x-pack/filebeat/module/zeek/ntp/config/ntp.yml @@ -61,4 +61,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/zeek/ocsp/config/ocsp.yml b/x-pack/filebeat/module/zeek/ocsp/config/ocsp.yml index 4ff0fef02d96..2383e15af899 100644 --- a/x-pack/filebeat/module/zeek/ocsp/config/ocsp.yml +++ b/x-pack/filebeat/module/zeek/ocsp/config/ocsp.yml @@ -64,4 +64,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/zeek/pe/config/pe.yml b/x-pack/filebeat/module/zeek/pe/config/pe.yml index e91f368710d3..0fb8091cfe83 100644 --- a/x-pack/filebeat/module/zeek/pe/config/pe.yml +++ b/x-pack/filebeat/module/zeek/pe/config/pe.yml @@ -33,4 +33,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/zeek/radius/config/radius.yml b/x-pack/filebeat/module/zeek/radius/config/radius.yml index 0730f685a28c..f4395dbde5de 100644 --- a/x-pack/filebeat/module/zeek/radius/config/radius.yml +++ b/x-pack/filebeat/module/zeek/radius/config/radius.yml @@ -65,4 +65,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/zeek/rdp/config/rdp.yml b/x-pack/filebeat/module/zeek/rdp/config/rdp.yml index 473f4aeb343f..678bc228f120 100644 --- a/x-pack/filebeat/module/zeek/rdp/config/rdp.yml +++ b/x-pack/filebeat/module/zeek/rdp/config/rdp.yml @@ -95,4 +95,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/zeek/rfb/config/rfb.yml b/x-pack/filebeat/module/zeek/rfb/config/rfb.yml index 59640f5ec021..b65225ac025e 100644 --- a/x-pack/filebeat/module/zeek/rfb/config/rfb.yml +++ b/x-pack/filebeat/module/zeek/rfb/config/rfb.yml @@ -80,4 +80,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/zeek/signature/config/signature.yml b/x-pack/filebeat/module/zeek/signature/config/signature.yml index 3a434acf8b45..24b6307bcea3 100644 --- a/x-pack/filebeat/module/zeek/signature/config/signature.yml +++ b/x-pack/filebeat/module/zeek/signature/config/signature.yml @@ -54,4 +54,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/zeek/sip/config/sip.yml b/x-pack/filebeat/module/zeek/sip/config/sip.yml index 9deb14f22476..28a6dee1a5c7 100644 --- a/x-pack/filebeat/module/zeek/sip/config/sip.yml +++ b/x-pack/filebeat/module/zeek/sip/config/sip.yml @@ -102,4 +102,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/zeek/smb_cmd/config/smb_cmd.yml b/x-pack/filebeat/module/zeek/smb_cmd/config/smb_cmd.yml index ca595e45a000..b428a0c2681e 100644 --- a/x-pack/filebeat/module/zeek/smb_cmd/config/smb_cmd.yml +++ b/x-pack/filebeat/module/zeek/smb_cmd/config/smb_cmd.yml @@ -108,4 +108,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/zeek/smb_files/config/smb_files.yml b/x-pack/filebeat/module/zeek/smb_files/config/smb_files.yml index 1de2b3ac9db4..be26334d8187 100644 --- a/x-pack/filebeat/module/zeek/smb_files/config/smb_files.yml +++ b/x-pack/filebeat/module/zeek/smb_files/config/smb_files.yml @@ -68,4 +68,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/zeek/smb_mapping/config/smb_mapping.yml b/x-pack/filebeat/module/zeek/smb_mapping/config/smb_mapping.yml index 3b29616d74d5..23786587f41f 100644 --- a/x-pack/filebeat/module/zeek/smb_mapping/config/smb_mapping.yml +++ b/x-pack/filebeat/module/zeek/smb_mapping/config/smb_mapping.yml @@ -64,4 +64,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/zeek/smtp/config/smtp.yml b/x-pack/filebeat/module/zeek/smtp/config/smtp.yml index 431ba698c50e..27d928ef70dd 100644 --- a/x-pack/filebeat/module/zeek/smtp/config/smtp.yml +++ b/x-pack/filebeat/module/zeek/smtp/config/smtp.yml @@ -74,4 +74,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/zeek/snmp/config/snmp.yml b/x-pack/filebeat/module/zeek/snmp/config/snmp.yml index bc6b70910d99..8a0c2eef68ef 100644 --- a/x-pack/filebeat/module/zeek/snmp/config/snmp.yml +++ b/x-pack/filebeat/module/zeek/snmp/config/snmp.yml @@ -76,4 +76,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/zeek/socks/config/socks.yml b/x-pack/filebeat/module/zeek/socks/config/socks.yml index 54c2a902d74e..18ea530202be 100644 --- a/x-pack/filebeat/module/zeek/socks/config/socks.yml +++ b/x-pack/filebeat/module/zeek/socks/config/socks.yml @@ -74,4 +74,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/zeek/ssh/config/ssh.yml b/x-pack/filebeat/module/zeek/ssh/config/ssh.yml index c5b0bff90359..1ea77ca0743f 100644 --- a/x-pack/filebeat/module/zeek/ssh/config/ssh.yml +++ b/x-pack/filebeat/module/zeek/ssh/config/ssh.yml @@ -83,4 +83,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/zeek/ssl/config/ssl.yml b/x-pack/filebeat/module/zeek/ssl/config/ssl.yml index 4c260cef5020..f3efb28ca226 100644 --- a/x-pack/filebeat/module/zeek/ssl/config/ssl.yml +++ b/x-pack/filebeat/module/zeek/ssl/config/ssl.yml @@ -101,4 +101,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/zeek/stats/config/stats.yml b/x-pack/filebeat/module/zeek/stats/config/stats.yml index 0e3431e151aa..ec62666d67b1 100644 --- a/x-pack/filebeat/module/zeek/stats/config/stats.yml +++ b/x-pack/filebeat/module/zeek/stats/config/stats.yml @@ -97,4 +97,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/zeek/syslog/config/syslog.yml b/x-pack/filebeat/module/zeek/syslog/config/syslog.yml index 23719375af86..cc16e1e2b312 100644 --- a/x-pack/filebeat/module/zeek/syslog/config/syslog.yml +++ b/x-pack/filebeat/module/zeek/syslog/config/syslog.yml @@ -64,4 +64,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/zeek/traceroute/config/traceroute.yml b/x-pack/filebeat/module/zeek/traceroute/config/traceroute.yml index 6108574d1ec1..207225b8c765 100644 --- a/x-pack/filebeat/module/zeek/traceroute/config/traceroute.yml +++ b/x-pack/filebeat/module/zeek/traceroute/config/traceroute.yml @@ -52,4 +52,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/zeek/tunnel/config/tunnel.yml b/x-pack/filebeat/module/zeek/tunnel/config/tunnel.yml index 7b6d53672bb3..770378808e74 100644 --- a/x-pack/filebeat/module/zeek/tunnel/config/tunnel.yml +++ b/x-pack/filebeat/module/zeek/tunnel/config/tunnel.yml @@ -63,4 +63,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/zeek/weird/config/weird.yml b/x-pack/filebeat/module/zeek/weird/config/weird.yml index 780119041e51..7632a73a9bac 100644 --- a/x-pack/filebeat/module/zeek/weird/config/weird.yml +++ b/x-pack/filebeat/module/zeek/weird/config/weird.yml @@ -63,4 +63,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/zeek/x509/config/x509.yml b/x-pack/filebeat/module/zeek/x509/config/x509.yml index 8a5a797815f8..8e52f576a5f1 100644 --- a/x-pack/filebeat/module/zeek/x509/config/x509.yml +++ b/x-pack/filebeat/module/zeek/x509/config/x509.yml @@ -67,4 +67,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/zookeeper/audit/config/audit.yml b/x-pack/filebeat/module/zookeeper/audit/config/audit.yml index c39345acad84..36b8d4138594 100644 --- a/x-pack/filebeat/module/zookeeper/audit/config/audit.yml +++ b/x-pack/filebeat/module/zookeeper/audit/config/audit.yml @@ -9,4 +9,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/zookeeper/log/config/log.yml b/x-pack/filebeat/module/zookeeper/log/config/log.yml index c39345acad84..36b8d4138594 100644 --- a/x-pack/filebeat/module/zookeeper/log/config/log.yml +++ b/x-pack/filebeat/module/zookeeper/log/config/log.yml @@ -9,4 +9,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/zoom/webhook/config/webhook.yml b/x-pack/filebeat/module/zoom/webhook/config/webhook.yml index 436ad36cd094..312ba2c208a6 100644 --- a/x-pack/filebeat/module/zoom/webhook/config/webhook.yml +++ b/x-pack/filebeat/module/zoom/webhook/config/webhook.yml @@ -34,4 +34,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/filebeat/module/zscaler/zia/config/input.yml b/x-pack/filebeat/module/zscaler/zia/config/input.yml index d2d66f0343d6..36e7fd2e2f92 100644 --- a/x-pack/filebeat/module/zscaler/zia/config/input.yml +++ b/x-pack/filebeat/module/zscaler/zia/config/input.yml @@ -84,4 +84,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.11.0 + ecs.version: 1.12.0 diff --git a/x-pack/functionbeat/docs/fields.asciidoc b/x-pack/functionbeat/docs/fields.asciidoc index 55d7fe99d673..b6dab3f6bb35 100644 --- a/x-pack/functionbeat/docs/fields.asciidoc +++ b/x-pack/functionbeat/docs/fields.asciidoc @@ -262,7 +262,7 @@ For log events the message field contains the log message, optimized for viewing For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. -type: text +type: match_only_text example: Hello World @@ -389,7 +389,7 @@ example: Google LLC *`as.organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -436,7 +436,7 @@ example: Google LLC *`client.as.organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -721,7 +721,7 @@ example: Albert Einstein *`client.user.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -770,6 +770,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`client.user.name`*:: @@ -779,14 +781,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`client.user.name.text`*:: + -- -type: text +type: match_only_text -- @@ -937,6 +939,18 @@ example: lambda These fields contain information about binary code signatures. +*`code_signature.digest_algorithm`*:: ++ +-- +The hashing algorithm used to sign the process. +This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + +type: keyword + +example: sha256 + +-- + *`code_signature.exists`*:: + -- @@ -995,6 +1009,17 @@ example: EQHXZ8M8AV -- +*`code_signature.timestamp`*:: ++ +-- +Date and time when the code signature was generated and signed. + +type: date + +example: 2021-01-01T12:10:30Z + +-- + *`code_signature.trusted`*:: + -- @@ -1174,7 +1199,7 @@ example: Google LLC *`destination.as.organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -1459,7 +1484,7 @@ example: Albert Einstein *`destination.user.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -1508,6 +1533,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`destination.user.name`*:: @@ -1517,14 +1544,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`destination.user.name.text`*:: + -- -type: text +type: match_only_text -- @@ -1550,6 +1577,18 @@ Many operating systems refer to "shared code libraries" with different names, bu * Dynamic library (`.dylib`) commonly used on macOS +*`dll.code_signature.digest_algorithm`*:: ++ +-- +The hashing algorithm used to sign the process. +This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + +type: keyword + +example: sha256 + +-- + *`dll.code_signature.exists`*:: + -- @@ -1608,6 +1647,17 @@ example: EQHXZ8M8AV -- +*`dll.code_signature.timestamp`*:: ++ +-- +Date and time when the code signature was generated and signed. + +type: date + +example: 2021-01-01T12:10:30Z + +-- + *`dll.code_signature.trusted`*:: + -- @@ -2331,7 +2381,7 @@ type: keyword -- Error message. -type: text +type: match_only_text -- @@ -2340,16 +2390,14 @@ type: text -- The stack trace of this error in plain text. -type: keyword - -Field is not indexed. +type: wildcard -- *`error.stack_trace.text`*:: + -- -type: text +type: match_only_text -- @@ -2716,6 +2764,18 @@ example: ["readonly", "system"] -- +*`file.code_signature.digest_algorithm`*:: ++ +-- +The hashing algorithm used to sign the process. +This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + +type: keyword + +example: sha256 + +-- + *`file.code_signature.exists`*:: + -- @@ -2774,6 +2834,17 @@ example: EQHXZ8M8AV -- +*`file.code_signature.timestamp`*:: ++ +-- +Date and time when the code signature was generated and signed. + +type: date + +example: 2021-01-01T12:10:30Z + +-- + *`file.code_signature.trusted`*:: + -- @@ -3145,6 +3216,19 @@ example: png -- +*`file.fork_name`*:: ++ +-- +A fork is additional data associated with a filesystem object. +On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist. +On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name. + +type: keyword + +example: Zone.Identifer + +-- + *`file.gid`*:: + -- @@ -3288,7 +3372,7 @@ example: /home/alice/example.png *`file.path.text`*:: + -- -type: text +type: match_only_text -- @@ -3394,7 +3478,7 @@ type: keyword *`file.target_path.text`*:: + -- -type: text +type: match_only_text -- @@ -4198,7 +4282,7 @@ example: Mac OS Mojave *`host.os.full.text`*:: + -- -type: text +type: match_only_text -- @@ -4227,7 +4311,7 @@ example: Mac OS X *`host.os.name.text`*:: + -- -type: text +type: match_only_text -- @@ -4320,7 +4404,7 @@ example: Albert Einstein *`host.user.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -4369,6 +4453,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`host.user.name`*:: @@ -4378,14 +4464,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`host.user.name.text`*:: + -- -type: text +type: match_only_text -- @@ -4424,7 +4510,7 @@ format: bytes -- The full HTTP request body. -type: keyword +type: wildcard example: Hello world @@ -4433,7 +4519,7 @@ example: Hello world *`http.request.body.content.text`*:: + -- -type: text +type: match_only_text -- @@ -4517,7 +4603,7 @@ format: bytes -- The full HTTP response body. -type: keyword +type: wildcard example: Hello world @@ -4526,7 +4612,7 @@ example: Hello world *`http.response.body.content.text`*:: + -- -type: text +type: match_only_text -- @@ -5335,7 +5421,7 @@ example: Mac OS Mojave *`observer.os.full.text`*:: + -- -type: text +type: match_only_text -- @@ -5364,7 +5450,7 @@ example: Mac OS X *`observer.os.name.text`*:: + -- -type: text +type: match_only_text -- @@ -5582,7 +5668,7 @@ type: keyword *`organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -5617,7 +5703,7 @@ example: Mac OS Mojave *`os.full.text`*:: + -- -type: text +type: match_only_text -- @@ -5646,7 +5732,7 @@ example: Mac OS X *`os.name.text`*:: + -- -type: text +type: match_only_text -- @@ -5952,6 +6038,18 @@ example: 4 -- +*`process.code_signature.digest_algorithm`*:: ++ +-- +The hashing algorithm used to sign the process. +This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + +type: keyword + +example: sha256 + +-- + *`process.code_signature.exists`*:: + -- @@ -6010,6 +6108,17 @@ example: EQHXZ8M8AV -- +*`process.code_signature.timestamp`*:: ++ +-- +Date and time when the code signature was generated and signed. + +type: date + +example: 2021-01-01T12:10:30Z + +-- + *`process.code_signature.trusted`*:: + -- @@ -6040,7 +6149,7 @@ example: true Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. -type: keyword +type: wildcard example: /usr/bin/ssh -l user 10.0.0.16 @@ -6049,7 +6158,7 @@ example: /usr/bin/ssh -l user 10.0.0.16 *`process.command_line.text`*:: + -- -type: text +type: match_only_text -- @@ -6334,6 +6443,17 @@ type: keyword -- +*`process.end`*:: ++ +-- +The time the process ended. + +type: date + +example: 2016-05-23T08:05:34.853Z + +-- + *`process.entity_id`*:: + -- @@ -6361,7 +6481,7 @@ example: /usr/bin/ssh *`process.executable.text`*:: + -- -type: text +type: match_only_text -- @@ -6437,7 +6557,7 @@ example: ssh *`process.name.text`*:: + -- -type: text +type: match_only_text -- @@ -6465,6 +6585,18 @@ example: 4 -- +*`process.parent.code_signature.digest_algorithm`*:: ++ +-- +The hashing algorithm used to sign the process. +This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + +type: keyword + +example: sha256 + +-- + *`process.parent.code_signature.exists`*:: + -- @@ -6523,6 +6655,17 @@ example: EQHXZ8M8AV -- +*`process.parent.code_signature.timestamp`*:: ++ +-- +Date and time when the code signature was generated and signed. + +type: date + +example: 2021-01-01T12:10:30Z + +-- + *`process.parent.code_signature.trusted`*:: + -- @@ -6553,7 +6696,7 @@ example: true Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. -type: keyword +type: wildcard example: /usr/bin/ssh -l user 10.0.0.16 @@ -6562,7 +6705,7 @@ example: /usr/bin/ssh -l user 10.0.0.16 *`process.parent.command_line.text`*:: + -- -type: text +type: match_only_text -- @@ -6847,6 +6990,17 @@ type: keyword -- +*`process.parent.end`*:: ++ +-- +The time the process ended. + +type: date + +example: 2016-05-23T08:05:34.853Z + +-- + *`process.parent.entity_id`*:: + -- @@ -6874,7 +7028,7 @@ example: /usr/bin/ssh *`process.parent.executable.text`*:: + -- -type: text +type: match_only_text -- @@ -6950,7 +7104,7 @@ example: ssh *`process.parent.name.text`*:: + -- -type: text +type: match_only_text -- @@ -7117,7 +7271,7 @@ type: keyword *`process.parent.title.text`*:: + -- -type: text +type: match_only_text -- @@ -7146,7 +7300,7 @@ example: /home/alice *`process.parent.working_directory.text`*:: + -- -type: text +type: match_only_text -- @@ -7313,7 +7467,7 @@ type: keyword *`process.title.text`*:: + -- -type: text +type: match_only_text -- @@ -7342,7 +7496,7 @@ example: /home/alice *`process.working_directory.text`*:: + -- -type: text +type: match_only_text -- @@ -7370,7 +7524,7 @@ example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). -type: keyword +type: wildcard example: ["C:\rta\red_ttp\bin\myapp.exe"] @@ -7636,7 +7790,7 @@ example: Google LLC *`server.as.organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -7921,7 +8075,7 @@ example: Albert Einstein *`server.user.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -7970,6 +8124,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`server.user.name`*:: @@ -7979,14 +8135,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`server.user.name.text`*:: + -- -type: text +type: match_only_text -- @@ -8008,6 +8164,30 @@ The service fields describe the service for or from which the data was collected These fields help you find and correlate logs for a specific service and version. +*`service.address`*:: ++ +-- +Address where data about this service was collected from. +This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). + +type: keyword + +example: 172.26.0.2:5432 + +-- + +*`service.environment`*:: ++ +-- +Identifies the environment where the service is running. +If the same service runs in different environments (production, staging, QA, development, etc.), the environment can identify other instances of the same service. Can also group services and applications from the same environment. + +type: keyword + +example: production + +-- + *`service.ephemeral_id`*:: + -- @@ -8135,7 +8315,7 @@ example: Google LLC *`source.as.organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -8420,7 +8600,7 @@ example: Albert Einstein *`source.user.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -8469,6 +8649,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`source.user.name`*:: @@ -8478,14 +8660,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`source.user.name.text`*:: + -- -type: text +type: match_only_text -- @@ -8550,7 +8732,7 @@ example: Google LLC *`threat.enrichments.indicator.as.organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -8614,6 +8796,18 @@ example: ["readonly", "system"] -- +*`threat.enrichments.indicator.file.code_signature.digest_algorithm`*:: ++ +-- +The hashing algorithm used to sign the process. +This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + +type: keyword + +example: sha256 + +-- + *`threat.enrichments.indicator.file.code_signature.exists`*:: + -- @@ -8672,6 +8866,17 @@ example: EQHXZ8M8AV -- +*`threat.enrichments.indicator.file.code_signature.timestamp`*:: ++ +-- +Date and time when the code signature was generated and signed. + +type: date + +example: 2021-01-01T12:10:30Z + +-- + *`threat.enrichments.indicator.file.code_signature.trusted`*:: + -- @@ -9043,6 +9248,19 @@ example: png -- +*`threat.enrichments.indicator.file.fork_name`*:: ++ +-- +A fork is additional data associated with a filesystem object. +On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist. +On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name. + +type: keyword + +example: Zone.Identifer + +-- + *`threat.enrichments.indicator.file.gid`*:: + -- @@ -9065,6 +9283,51 @@ example: alice -- +*`threat.enrichments.indicator.file.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`threat.enrichments.indicator.file.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`threat.enrichments.indicator.file.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`threat.enrichments.indicator.file.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + +*`threat.enrichments.indicator.file.hash.ssdeep`*:: ++ +-- +SSDEEP hash. + +type: keyword + +-- + *`threat.enrichments.indicator.file.inode`*:: + -- @@ -9141,26 +9404,104 @@ example: /home/alice/example.png *`threat.enrichments.indicator.file.path.text`*:: + -- -type: text +type: match_only_text -- -*`threat.enrichments.indicator.file.size`*:: +*`threat.enrichments.indicator.file.pe.architecture`*:: + -- -File size in bytes. -Only relevant when `file.type` is "file". +CPU architecture target for the file. -type: long +type: keyword -example: 16384 +example: x64 -- -*`threat.enrichments.indicator.file.target_path`*:: +*`threat.enrichments.indicator.file.pe.company`*:: + -- -Target path for symlinks. +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`threat.enrichments.indicator.file.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`threat.enrichments.indicator.file.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`threat.enrichments.indicator.file.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + +*`threat.enrichments.indicator.file.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`threat.enrichments.indicator.file.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + +*`threat.enrichments.indicator.file.size`*:: ++ +-- +File size in bytes. +Only relevant when `file.type` is "file". + +type: long + +example: 16384 + +-- + +*`threat.enrichments.indicator.file.target_path`*:: ++ +-- +Target path for symlinks. type: keyword @@ -9169,7 +9510,7 @@ type: keyword *`threat.enrichments.indicator.file.target_path.text`*:: + -- -type: text +type: match_only_text -- @@ -9330,51 +9671,6 @@ example: America/Argentina/Buenos_Aires -- -*`threat.enrichments.indicator.hash.md5`*:: -+ --- -MD5 hash. - -type: keyword - --- - -*`threat.enrichments.indicator.hash.sha1`*:: -+ --- -SHA1 hash. - -type: keyword - --- - -*`threat.enrichments.indicator.hash.sha256`*:: -+ --- -SHA256 hash. - -type: keyword - --- - -*`threat.enrichments.indicator.hash.sha512`*:: -+ --- -SHA512 hash. - -type: keyword - --- - -*`threat.enrichments.indicator.hash.ssdeep`*:: -+ --- -SSDEEP hash. - -type: keyword - --- - *`threat.enrichments.indicator.ip`*:: + -- @@ -9423,84 +9719,6 @@ example: 2020-11-05T17:25:47.000Z -- -*`threat.enrichments.indicator.pe.architecture`*:: -+ --- -CPU architecture target for the file. - -type: keyword - -example: x64 - --- - -*`threat.enrichments.indicator.pe.company`*:: -+ --- -Internal company name of the file, provided at compile-time. - -type: keyword - -example: Microsoft Corporation - --- - -*`threat.enrichments.indicator.pe.description`*:: -+ --- -Internal description of the file, provided at compile-time. - -type: keyword - -example: Paint - --- - -*`threat.enrichments.indicator.pe.file_version`*:: -+ --- -Internal version of the file, provided at compile-time. - -type: keyword - -example: 6.3.9600.17415 - --- - -*`threat.enrichments.indicator.pe.imphash`*:: -+ --- -A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. -Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. - -type: keyword - -example: 0c6803c4e922103c4dca5963aad36ddf - --- - -*`threat.enrichments.indicator.pe.original_file_name`*:: -+ --- -Internal name of the file, provided at compile-time. - -type: keyword - -example: MSPAINT.EXE - --- - -*`threat.enrichments.indicator.pe.product`*:: -+ --- -Internal product name of the file, provided at compile-time. - -type: keyword - -example: Microsoft® Windows® Operating System - --- - *`threat.enrichments.indicator.port`*:: + -- @@ -9552,7 +9770,7 @@ example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). -type: keyword +type: wildcard example: ["C:\rta\red_ttp\bin\myapp.exe"] @@ -9705,7 +9923,7 @@ type: keyword -- If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. -type: keyword +type: wildcard example: https://www.elastic.co:443/search?q=elasticsearch#top @@ -9714,7 +9932,7 @@ example: https://www.elastic.co:443/search?q=elasticsearch#top *`threat.enrichments.indicator.url.full.text`*:: + -- -type: text +type: match_only_text -- @@ -9725,7 +9943,7 @@ Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. -type: keyword +type: wildcard example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch @@ -9734,7 +9952,7 @@ example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elas *`threat.enrichments.indicator.url.original.text`*:: + -- -type: text +type: match_only_text -- @@ -9752,7 +9970,7 @@ type: keyword -- Path of the request, such as "/search". -type: keyword +type: wildcard -- @@ -10170,7 +10388,8 @@ example: MITRE ATT&CK *`threat.group.alias`*:: + -- -The alias(es) of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group alias(es). +The alias(es) of the group for a set of related intrusion activity that are tracked by a common name in the security community. +While not required, you can use a MITRE ATT&CK® group alias(es). type: keyword @@ -10181,7 +10400,8 @@ example: [ "Magecart Group 6" ] *`threat.group.id`*:: + -- -The id of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group id. +The id of the group for a set of related intrusion activity that are tracked by a common name in the security community. +While not required, you can use a MITRE ATT&CK® group id. type: keyword @@ -10192,7 +10412,8 @@ example: G0037 *`threat.group.name`*:: + -- -The name of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group name. +The name of the group for a set of related intrusion activity that are tracked by a common name in the security community. +While not required, you can use a MITRE ATT&CK® group name. type: keyword @@ -10203,7 +10424,8 @@ example: FIN6 *`threat.group.reference`*:: + -- -The reference URL of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group reference URL. +The reference URL of the group for a set of related intrusion activity that are tracked by a common name in the security community. +While not required, you can use a MITRE ATT&CK® group reference URL. type: keyword @@ -10236,7 +10458,7 @@ example: Google LLC *`threat.indicator.as.organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -10301,6 +10523,18 @@ example: ["readonly", "system"] -- +*`threat.indicator.file.code_signature.digest_algorithm`*:: ++ +-- +The hashing algorithm used to sign the process. +This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + +type: keyword + +example: sha256 + +-- + *`threat.indicator.file.code_signature.exists`*:: + -- @@ -10359,6 +10593,17 @@ example: EQHXZ8M8AV -- +*`threat.indicator.file.code_signature.timestamp`*:: ++ +-- +Date and time when the code signature was generated and signed. + +type: date + +example: 2021-01-01T12:10:30Z + +-- + *`threat.indicator.file.code_signature.trusted`*:: + -- @@ -10730,6 +10975,19 @@ example: png -- +*`threat.indicator.file.fork_name`*:: ++ +-- +A fork is additional data associated with a filesystem object. +On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist. +On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name. + +type: keyword + +example: Zone.Identifer + +-- + *`threat.indicator.file.gid`*:: + -- @@ -10752,6 +11010,51 @@ example: alice -- +*`threat.indicator.file.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`threat.indicator.file.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`threat.indicator.file.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`threat.indicator.file.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + +*`threat.indicator.file.hash.ssdeep`*:: ++ +-- +SSDEEP hash. + +type: keyword + +-- + *`threat.indicator.file.inode`*:: + -- @@ -10828,7 +11131,85 @@ example: /home/alice/example.png *`threat.indicator.file.path.text`*:: + -- -type: text +type: match_only_text + +-- + +*`threat.indicator.file.pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + +*`threat.indicator.file.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`threat.indicator.file.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`threat.indicator.file.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`threat.indicator.file.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + +*`threat.indicator.file.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`threat.indicator.file.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System -- @@ -10856,7 +11237,7 @@ type: keyword *`threat.indicator.file.target_path.text`*:: + -- -type: text +type: match_only_text -- @@ -11017,51 +11398,6 @@ example: America/Argentina/Buenos_Aires -- -*`threat.indicator.hash.md5`*:: -+ --- -MD5 hash. - -type: keyword - --- - -*`threat.indicator.hash.sha1`*:: -+ --- -SHA1 hash. - -type: keyword - --- - -*`threat.indicator.hash.sha256`*:: -+ --- -SHA256 hash. - -type: keyword - --- - -*`threat.indicator.hash.sha512`*:: -+ --- -SHA512 hash. - -type: keyword - --- - -*`threat.indicator.hash.ssdeep`*:: -+ --- -SSDEEP hash. - -type: keyword - --- - *`threat.indicator.ip`*:: + -- @@ -11111,84 +11447,6 @@ example: 2020-11-05T17:25:47.000Z -- -*`threat.indicator.pe.architecture`*:: -+ --- -CPU architecture target for the file. - -type: keyword - -example: x64 - --- - -*`threat.indicator.pe.company`*:: -+ --- -Internal company name of the file, provided at compile-time. - -type: keyword - -example: Microsoft Corporation - --- - -*`threat.indicator.pe.description`*:: -+ --- -Internal description of the file, provided at compile-time. - -type: keyword - -example: Paint - --- - -*`threat.indicator.pe.file_version`*:: -+ --- -Internal version of the file, provided at compile-time. - -type: keyword - -example: 6.3.9600.17415 - --- - -*`threat.indicator.pe.imphash`*:: -+ --- -A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. -Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. - -type: keyword - -example: 0c6803c4e922103c4dca5963aad36ddf - --- - -*`threat.indicator.pe.original_file_name`*:: -+ --- -Internal name of the file, provided at compile-time. - -type: keyword - -example: MSPAINT.EXE - --- - -*`threat.indicator.pe.product`*:: -+ --- -Internal product name of the file, provided at compile-time. - -type: keyword - -example: Microsoft® Windows® Operating System - --- - *`threat.indicator.port`*:: + -- @@ -11240,7 +11498,7 @@ example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). -type: keyword +type: wildcard example: ["C:\rta\red_ttp\bin\myapp.exe"] @@ -11394,7 +11652,7 @@ type: keyword -- If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. -type: keyword +type: wildcard example: https://www.elastic.co:443/search?q=elasticsearch#top @@ -11403,7 +11661,7 @@ example: https://www.elastic.co:443/search?q=elasticsearch#top *`threat.indicator.url.full.text`*:: + -- -type: text +type: match_only_text -- @@ -11414,7 +11672,7 @@ Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. -type: keyword +type: wildcard example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch @@ -11423,7 +11681,7 @@ example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elas *`threat.indicator.url.original.text`*:: + -- -type: text +type: match_only_text -- @@ -11441,7 +11699,7 @@ type: keyword -- Path of the request, such as "/search". -type: keyword +type: wildcard -- @@ -11790,10 +12048,23 @@ example: 3 -- +*`threat.software.alias`*:: ++ +-- +The alias(es) of the software for a set of related intrusion activity that are tracked by a common name in the security community. +While not required, you can use a MITRE ATT&CK® associated software description. + +type: keyword + +example: [ "X-Agent" ] + +-- + *`threat.software.id`*:: + -- -The id of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software id. +The id of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. +While not required, you can use a MITRE ATT&CK® software id. type: keyword @@ -11804,7 +12075,8 @@ example: S0552 *`threat.software.name`*:: + -- -The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software name. +The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. +While not required, you can use a MITRE ATT&CK® software name. type: keyword @@ -11815,7 +12087,7 @@ example: AdFind *`threat.software.platforms`*:: + -- -The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software platforms. +The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. Recommended Values: * AWS * Azure @@ -11828,6 +12100,8 @@ Recommended Values: * SaaS * Windows +While not required, you can use a MITRE ATT&CK® software platforms. + type: keyword example: [ "Windows" ] @@ -11837,7 +12111,8 @@ example: [ "Windows" ] *`threat.software.reference`*:: + -- -The reference URL of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software reference URL. +The reference URL of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. +While not required, you can use a MITRE ATT&CK® software reference URL. type: keyword @@ -11848,11 +12123,13 @@ example: https://attack.mitre.org/software/S0552/ *`threat.software.type`*:: + -- -The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software type. +The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. Recommended values * Malware * Tool + While not required, you can use a MITRE ATT&CK® software type. + type: keyword example: Tool @@ -11917,7 +12194,7 @@ example: Command and Scripting Interpreter *`threat.technique.name.text`*:: + -- -type: text +type: match_only_text -- @@ -11957,7 +12234,7 @@ example: PowerShell *`threat.technique.subtechnique.name.text`*:: + -- -type: text +type: match_only_text -- @@ -12905,7 +13182,7 @@ type: keyword -- If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. -type: keyword +type: wildcard example: https://www.elastic.co:443/search?q=elasticsearch#top @@ -12914,7 +13191,7 @@ example: https://www.elastic.co:443/search?q=elasticsearch#top *`url.full.text`*:: + -- -type: text +type: match_only_text -- @@ -12925,7 +13202,7 @@ Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. -type: keyword +type: wildcard example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch @@ -12934,7 +13211,7 @@ example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elas *`url.original.text`*:: + -- -type: text +type: match_only_text -- @@ -12952,7 +13229,7 @@ type: keyword -- Path of the request, such as "/search". -type: keyword +type: wildcard -- @@ -13077,7 +13354,7 @@ example: Albert Einstein *`user.changes.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -13126,6 +13403,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`user.changes.name`*:: @@ -13135,14 +13414,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`user.changes.name.text`*:: + -- -type: text +type: match_only_text -- @@ -13200,7 +13479,7 @@ example: Albert Einstein *`user.effective.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -13249,6 +13528,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`user.effective.name`*:: @@ -13258,14 +13539,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`user.effective.name.text`*:: + -- -type: text +type: match_only_text -- @@ -13303,7 +13584,7 @@ example: Albert Einstein *`user.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -13352,6 +13633,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`user.name`*:: @@ -13361,14 +13644,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`user.name.text`*:: + -- -type: text +type: match_only_text -- @@ -13416,7 +13699,7 @@ example: Albert Einstein *`user.target.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -13465,6 +13748,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`user.target.name`*:: @@ -13474,14 +13759,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`user.target.name.text`*:: + -- -type: text +type: match_only_text -- @@ -13539,7 +13824,7 @@ example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605. *`user_agent.original.text`*:: + -- -type: text +type: match_only_text -- @@ -13568,7 +13853,7 @@ example: Mac OS Mojave *`user_agent.os.full.text`*:: + -- -type: text +type: match_only_text -- @@ -13597,7 +13882,7 @@ example: Mac OS X *`user_agent.os.name.text`*:: + -- -type: text +type: match_only_text -- @@ -13721,7 +14006,7 @@ example: In macOS before 2.12.6, there is a vulnerability in the RPC... *`vulnerability.description.text`*:: + -- -type: text +type: match_only_text -- diff --git a/x-pack/functionbeat/include/fields.go b/x-pack/functionbeat/include/fields.go index 525f06efde8d..d650fc6a25a5 100644 --- a/x-pack/functionbeat/include/fields.go +++ b/x-pack/functionbeat/include/fields.go @@ -19,5 +19,5 @@ func init() { // AssetFieldsYml returns asset data. // This is the base64 encoded zlib format compressed contents of fields.yml. func AssetFieldsYml() string { - return "" + return "" } diff --git a/x-pack/heartbeat/include/fields.go b/x-pack/heartbeat/include/fields.go index dd6c0635843d..7a55f9788cb6 100644 --- a/x-pack/heartbeat/include/fields.go +++ b/x-pack/heartbeat/include/fields.go @@ -19,5 +19,5 @@ func init() { // AssetFieldsYml returns asset data. // This is the base64 encoded zlib format compressed contents of fields.yml. func AssetFieldsYml() string { - return "" + return "" } diff --git a/x-pack/metricbeat/cmd/root.go b/x-pack/metricbeat/cmd/root.go index 3d343deae1ec..6cb61fffed58 100644 --- a/x-pack/metricbeat/cmd/root.go +++ b/x-pack/metricbeat/cmd/root.go @@ -31,7 +31,7 @@ const ( Name = "metricbeat" // ecsVersion specifies the version of ECS that this beat is implementing. - ecsVersion = "1.11.0" + ecsVersion = "1.12.0" ) // RootCmd to handle beats cli diff --git a/x-pack/osquerybeat/cmd/root.go b/x-pack/osquerybeat/cmd/root.go index f8bcd4dbfde4..bbd8b64abdae 100644 --- a/x-pack/osquerybeat/cmd/root.go +++ b/x-pack/osquerybeat/cmd/root.go @@ -20,7 +20,7 @@ const ( Name = "osquerybeat" // ecsVersion specifies the version of ECS that this beat is implementing. - ecsVersion = "1.11.0" + ecsVersion = "1.12.0" ) // withECSVersion is a modifier that adds ecs.version to events. diff --git a/x-pack/osquerybeat/docs/fields.asciidoc b/x-pack/osquerybeat/docs/fields.asciidoc index 8d2e4fb09381..cc4b4281cfac 100644 --- a/x-pack/osquerybeat/docs/fields.asciidoc +++ b/x-pack/osquerybeat/docs/fields.asciidoc @@ -262,7 +262,7 @@ For log events the message field contains the log message, optimized for viewing For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. -type: text +type: match_only_text example: Hello World @@ -389,7 +389,7 @@ example: Google LLC *`as.organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -436,7 +436,7 @@ example: Google LLC *`client.as.organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -721,7 +721,7 @@ example: Albert Einstein *`client.user.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -770,6 +770,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`client.user.name`*:: @@ -779,14 +781,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`client.user.name.text`*:: + -- -type: text +type: match_only_text -- @@ -937,6 +939,18 @@ example: lambda These fields contain information about binary code signatures. +*`code_signature.digest_algorithm`*:: ++ +-- +The hashing algorithm used to sign the process. +This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + +type: keyword + +example: sha256 + +-- + *`code_signature.exists`*:: + -- @@ -995,6 +1009,17 @@ example: EQHXZ8M8AV -- +*`code_signature.timestamp`*:: ++ +-- +Date and time when the code signature was generated and signed. + +type: date + +example: 2021-01-01T12:10:30Z + +-- + *`code_signature.trusted`*:: + -- @@ -1174,7 +1199,7 @@ example: Google LLC *`destination.as.organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -1459,7 +1484,7 @@ example: Albert Einstein *`destination.user.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -1508,6 +1533,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`destination.user.name`*:: @@ -1517,14 +1544,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`destination.user.name.text`*:: + -- -type: text +type: match_only_text -- @@ -1550,6 +1577,18 @@ Many operating systems refer to "shared code libraries" with different names, bu * Dynamic library (`.dylib`) commonly used on macOS +*`dll.code_signature.digest_algorithm`*:: ++ +-- +The hashing algorithm used to sign the process. +This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + +type: keyword + +example: sha256 + +-- + *`dll.code_signature.exists`*:: + -- @@ -1608,6 +1647,17 @@ example: EQHXZ8M8AV -- +*`dll.code_signature.timestamp`*:: ++ +-- +Date and time when the code signature was generated and signed. + +type: date + +example: 2021-01-01T12:10:30Z + +-- + *`dll.code_signature.trusted`*:: + -- @@ -2331,7 +2381,7 @@ type: keyword -- Error message. -type: text +type: match_only_text -- @@ -2340,16 +2390,14 @@ type: text -- The stack trace of this error in plain text. -type: keyword - -Field is not indexed. +type: wildcard -- *`error.stack_trace.text`*:: + -- -type: text +type: match_only_text -- @@ -2716,6 +2764,18 @@ example: ["readonly", "system"] -- +*`file.code_signature.digest_algorithm`*:: ++ +-- +The hashing algorithm used to sign the process. +This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + +type: keyword + +example: sha256 + +-- + *`file.code_signature.exists`*:: + -- @@ -2774,6 +2834,17 @@ example: EQHXZ8M8AV -- +*`file.code_signature.timestamp`*:: ++ +-- +Date and time when the code signature was generated and signed. + +type: date + +example: 2021-01-01T12:10:30Z + +-- + *`file.code_signature.trusted`*:: + -- @@ -3145,6 +3216,19 @@ example: png -- +*`file.fork_name`*:: ++ +-- +A fork is additional data associated with a filesystem object. +On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist. +On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name. + +type: keyword + +example: Zone.Identifer + +-- + *`file.gid`*:: + -- @@ -3288,7 +3372,7 @@ example: /home/alice/example.png *`file.path.text`*:: + -- -type: text +type: match_only_text -- @@ -3394,7 +3478,7 @@ type: keyword *`file.target_path.text`*:: + -- -type: text +type: match_only_text -- @@ -4198,7 +4282,7 @@ example: Mac OS Mojave *`host.os.full.text`*:: + -- -type: text +type: match_only_text -- @@ -4227,7 +4311,7 @@ example: Mac OS X *`host.os.name.text`*:: + -- -type: text +type: match_only_text -- @@ -4320,7 +4404,7 @@ example: Albert Einstein *`host.user.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -4369,6 +4453,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`host.user.name`*:: @@ -4378,14 +4464,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`host.user.name.text`*:: + -- -type: text +type: match_only_text -- @@ -4424,7 +4510,7 @@ format: bytes -- The full HTTP request body. -type: keyword +type: wildcard example: Hello world @@ -4433,7 +4519,7 @@ example: Hello world *`http.request.body.content.text`*:: + -- -type: text +type: match_only_text -- @@ -4517,7 +4603,7 @@ format: bytes -- The full HTTP response body. -type: keyword +type: wildcard example: Hello world @@ -4526,7 +4612,7 @@ example: Hello world *`http.response.body.content.text`*:: + -- -type: text +type: match_only_text -- @@ -5335,7 +5421,7 @@ example: Mac OS Mojave *`observer.os.full.text`*:: + -- -type: text +type: match_only_text -- @@ -5364,7 +5450,7 @@ example: Mac OS X *`observer.os.name.text`*:: + -- -type: text +type: match_only_text -- @@ -5582,7 +5668,7 @@ type: keyword *`organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -5617,7 +5703,7 @@ example: Mac OS Mojave *`os.full.text`*:: + -- -type: text +type: match_only_text -- @@ -5646,7 +5732,7 @@ example: Mac OS X *`os.name.text`*:: + -- -type: text +type: match_only_text -- @@ -5952,6 +6038,18 @@ example: 4 -- +*`process.code_signature.digest_algorithm`*:: ++ +-- +The hashing algorithm used to sign the process. +This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + +type: keyword + +example: sha256 + +-- + *`process.code_signature.exists`*:: + -- @@ -6010,6 +6108,17 @@ example: EQHXZ8M8AV -- +*`process.code_signature.timestamp`*:: ++ +-- +Date and time when the code signature was generated and signed. + +type: date + +example: 2021-01-01T12:10:30Z + +-- + *`process.code_signature.trusted`*:: + -- @@ -6040,7 +6149,7 @@ example: true Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. -type: keyword +type: wildcard example: /usr/bin/ssh -l user 10.0.0.16 @@ -6049,7 +6158,7 @@ example: /usr/bin/ssh -l user 10.0.0.16 *`process.command_line.text`*:: + -- -type: text +type: match_only_text -- @@ -6334,6 +6443,17 @@ type: keyword -- +*`process.end`*:: ++ +-- +The time the process ended. + +type: date + +example: 2016-05-23T08:05:34.853Z + +-- + *`process.entity_id`*:: + -- @@ -6361,7 +6481,7 @@ example: /usr/bin/ssh *`process.executable.text`*:: + -- -type: text +type: match_only_text -- @@ -6437,7 +6557,7 @@ example: ssh *`process.name.text`*:: + -- -type: text +type: match_only_text -- @@ -6465,6 +6585,18 @@ example: 4 -- +*`process.parent.code_signature.digest_algorithm`*:: ++ +-- +The hashing algorithm used to sign the process. +This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + +type: keyword + +example: sha256 + +-- + *`process.parent.code_signature.exists`*:: + -- @@ -6523,6 +6655,17 @@ example: EQHXZ8M8AV -- +*`process.parent.code_signature.timestamp`*:: ++ +-- +Date and time when the code signature was generated and signed. + +type: date + +example: 2021-01-01T12:10:30Z + +-- + *`process.parent.code_signature.trusted`*:: + -- @@ -6553,7 +6696,7 @@ example: true Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. -type: keyword +type: wildcard example: /usr/bin/ssh -l user 10.0.0.16 @@ -6562,7 +6705,7 @@ example: /usr/bin/ssh -l user 10.0.0.16 *`process.parent.command_line.text`*:: + -- -type: text +type: match_only_text -- @@ -6847,6 +6990,17 @@ type: keyword -- +*`process.parent.end`*:: ++ +-- +The time the process ended. + +type: date + +example: 2016-05-23T08:05:34.853Z + +-- + *`process.parent.entity_id`*:: + -- @@ -6874,7 +7028,7 @@ example: /usr/bin/ssh *`process.parent.executable.text`*:: + -- -type: text +type: match_only_text -- @@ -6950,7 +7104,7 @@ example: ssh *`process.parent.name.text`*:: + -- -type: text +type: match_only_text -- @@ -7117,7 +7271,7 @@ type: keyword *`process.parent.title.text`*:: + -- -type: text +type: match_only_text -- @@ -7146,7 +7300,7 @@ example: /home/alice *`process.parent.working_directory.text`*:: + -- -type: text +type: match_only_text -- @@ -7313,7 +7467,7 @@ type: keyword *`process.title.text`*:: + -- -type: text +type: match_only_text -- @@ -7342,7 +7496,7 @@ example: /home/alice *`process.working_directory.text`*:: + -- -type: text +type: match_only_text -- @@ -7370,7 +7524,7 @@ example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). -type: keyword +type: wildcard example: ["C:\rta\red_ttp\bin\myapp.exe"] @@ -7636,7 +7790,7 @@ example: Google LLC *`server.as.organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -7921,7 +8075,7 @@ example: Albert Einstein *`server.user.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -7970,6 +8124,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`server.user.name`*:: @@ -7979,14 +8135,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`server.user.name.text`*:: + -- -type: text +type: match_only_text -- @@ -8008,6 +8164,30 @@ The service fields describe the service for or from which the data was collected These fields help you find and correlate logs for a specific service and version. +*`service.address`*:: ++ +-- +Address where data about this service was collected from. +This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). + +type: keyword + +example: 172.26.0.2:5432 + +-- + +*`service.environment`*:: ++ +-- +Identifies the environment where the service is running. +If the same service runs in different environments (production, staging, QA, development, etc.), the environment can identify other instances of the same service. Can also group services and applications from the same environment. + +type: keyword + +example: production + +-- + *`service.ephemeral_id`*:: + -- @@ -8135,7 +8315,7 @@ example: Google LLC *`source.as.organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -8420,7 +8600,7 @@ example: Albert Einstein *`source.user.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -8469,6 +8649,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`source.user.name`*:: @@ -8478,14 +8660,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`source.user.name.text`*:: + -- -type: text +type: match_only_text -- @@ -8550,7 +8732,7 @@ example: Google LLC *`threat.enrichments.indicator.as.organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -8614,6 +8796,18 @@ example: ["readonly", "system"] -- +*`threat.enrichments.indicator.file.code_signature.digest_algorithm`*:: ++ +-- +The hashing algorithm used to sign the process. +This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + +type: keyword + +example: sha256 + +-- + *`threat.enrichments.indicator.file.code_signature.exists`*:: + -- @@ -8672,6 +8866,17 @@ example: EQHXZ8M8AV -- +*`threat.enrichments.indicator.file.code_signature.timestamp`*:: ++ +-- +Date and time when the code signature was generated and signed. + +type: date + +example: 2021-01-01T12:10:30Z + +-- + *`threat.enrichments.indicator.file.code_signature.trusted`*:: + -- @@ -9043,6 +9248,19 @@ example: png -- +*`threat.enrichments.indicator.file.fork_name`*:: ++ +-- +A fork is additional data associated with a filesystem object. +On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist. +On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name. + +type: keyword + +example: Zone.Identifer + +-- + *`threat.enrichments.indicator.file.gid`*:: + -- @@ -9065,6 +9283,51 @@ example: alice -- +*`threat.enrichments.indicator.file.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`threat.enrichments.indicator.file.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`threat.enrichments.indicator.file.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`threat.enrichments.indicator.file.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + +*`threat.enrichments.indicator.file.hash.ssdeep`*:: ++ +-- +SSDEEP hash. + +type: keyword + +-- + *`threat.enrichments.indicator.file.inode`*:: + -- @@ -9141,26 +9404,104 @@ example: /home/alice/example.png *`threat.enrichments.indicator.file.path.text`*:: + -- -type: text +type: match_only_text -- -*`threat.enrichments.indicator.file.size`*:: +*`threat.enrichments.indicator.file.pe.architecture`*:: + -- -File size in bytes. -Only relevant when `file.type` is "file". +CPU architecture target for the file. -type: long +type: keyword -example: 16384 +example: x64 -- -*`threat.enrichments.indicator.file.target_path`*:: +*`threat.enrichments.indicator.file.pe.company`*:: + -- -Target path for symlinks. +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`threat.enrichments.indicator.file.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`threat.enrichments.indicator.file.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`threat.enrichments.indicator.file.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + +*`threat.enrichments.indicator.file.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`threat.enrichments.indicator.file.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + +*`threat.enrichments.indicator.file.size`*:: ++ +-- +File size in bytes. +Only relevant when `file.type` is "file". + +type: long + +example: 16384 + +-- + +*`threat.enrichments.indicator.file.target_path`*:: ++ +-- +Target path for symlinks. type: keyword @@ -9169,7 +9510,7 @@ type: keyword *`threat.enrichments.indicator.file.target_path.text`*:: + -- -type: text +type: match_only_text -- @@ -9330,51 +9671,6 @@ example: America/Argentina/Buenos_Aires -- -*`threat.enrichments.indicator.hash.md5`*:: -+ --- -MD5 hash. - -type: keyword - --- - -*`threat.enrichments.indicator.hash.sha1`*:: -+ --- -SHA1 hash. - -type: keyword - --- - -*`threat.enrichments.indicator.hash.sha256`*:: -+ --- -SHA256 hash. - -type: keyword - --- - -*`threat.enrichments.indicator.hash.sha512`*:: -+ --- -SHA512 hash. - -type: keyword - --- - -*`threat.enrichments.indicator.hash.ssdeep`*:: -+ --- -SSDEEP hash. - -type: keyword - --- - *`threat.enrichments.indicator.ip`*:: + -- @@ -9423,84 +9719,6 @@ example: 2020-11-05T17:25:47.000Z -- -*`threat.enrichments.indicator.pe.architecture`*:: -+ --- -CPU architecture target for the file. - -type: keyword - -example: x64 - --- - -*`threat.enrichments.indicator.pe.company`*:: -+ --- -Internal company name of the file, provided at compile-time. - -type: keyword - -example: Microsoft Corporation - --- - -*`threat.enrichments.indicator.pe.description`*:: -+ --- -Internal description of the file, provided at compile-time. - -type: keyword - -example: Paint - --- - -*`threat.enrichments.indicator.pe.file_version`*:: -+ --- -Internal version of the file, provided at compile-time. - -type: keyword - -example: 6.3.9600.17415 - --- - -*`threat.enrichments.indicator.pe.imphash`*:: -+ --- -A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. -Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. - -type: keyword - -example: 0c6803c4e922103c4dca5963aad36ddf - --- - -*`threat.enrichments.indicator.pe.original_file_name`*:: -+ --- -Internal name of the file, provided at compile-time. - -type: keyword - -example: MSPAINT.EXE - --- - -*`threat.enrichments.indicator.pe.product`*:: -+ --- -Internal product name of the file, provided at compile-time. - -type: keyword - -example: Microsoft® Windows® Operating System - --- - *`threat.enrichments.indicator.port`*:: + -- @@ -9552,7 +9770,7 @@ example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). -type: keyword +type: wildcard example: ["C:\rta\red_ttp\bin\myapp.exe"] @@ -9705,7 +9923,7 @@ type: keyword -- If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. -type: keyword +type: wildcard example: https://www.elastic.co:443/search?q=elasticsearch#top @@ -9714,7 +9932,7 @@ example: https://www.elastic.co:443/search?q=elasticsearch#top *`threat.enrichments.indicator.url.full.text`*:: + -- -type: text +type: match_only_text -- @@ -9725,7 +9943,7 @@ Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. -type: keyword +type: wildcard example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch @@ -9734,7 +9952,7 @@ example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elas *`threat.enrichments.indicator.url.original.text`*:: + -- -type: text +type: match_only_text -- @@ -9752,7 +9970,7 @@ type: keyword -- Path of the request, such as "/search". -type: keyword +type: wildcard -- @@ -10170,7 +10388,8 @@ example: MITRE ATT&CK *`threat.group.alias`*:: + -- -The alias(es) of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group alias(es). +The alias(es) of the group for a set of related intrusion activity that are tracked by a common name in the security community. +While not required, you can use a MITRE ATT&CK® group alias(es). type: keyword @@ -10181,7 +10400,8 @@ example: [ "Magecart Group 6" ] *`threat.group.id`*:: + -- -The id of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group id. +The id of the group for a set of related intrusion activity that are tracked by a common name in the security community. +While not required, you can use a MITRE ATT&CK® group id. type: keyword @@ -10192,7 +10412,8 @@ example: G0037 *`threat.group.name`*:: + -- -The name of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group name. +The name of the group for a set of related intrusion activity that are tracked by a common name in the security community. +While not required, you can use a MITRE ATT&CK® group name. type: keyword @@ -10203,7 +10424,8 @@ example: FIN6 *`threat.group.reference`*:: + -- -The reference URL of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group reference URL. +The reference URL of the group for a set of related intrusion activity that are tracked by a common name in the security community. +While not required, you can use a MITRE ATT&CK® group reference URL. type: keyword @@ -10236,7 +10458,7 @@ example: Google LLC *`threat.indicator.as.organization.name.text`*:: + -- -type: text +type: match_only_text -- @@ -10301,6 +10523,18 @@ example: ["readonly", "system"] -- +*`threat.indicator.file.code_signature.digest_algorithm`*:: ++ +-- +The hashing algorithm used to sign the process. +This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. + +type: keyword + +example: sha256 + +-- + *`threat.indicator.file.code_signature.exists`*:: + -- @@ -10359,6 +10593,17 @@ example: EQHXZ8M8AV -- +*`threat.indicator.file.code_signature.timestamp`*:: ++ +-- +Date and time when the code signature was generated and signed. + +type: date + +example: 2021-01-01T12:10:30Z + +-- + *`threat.indicator.file.code_signature.trusted`*:: + -- @@ -10730,6 +10975,19 @@ example: png -- +*`threat.indicator.file.fork_name`*:: ++ +-- +A fork is additional data associated with a filesystem object. +On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist. +On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name. + +type: keyword + +example: Zone.Identifer + +-- + *`threat.indicator.file.gid`*:: + -- @@ -10752,6 +11010,51 @@ example: alice -- +*`threat.indicator.file.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`threat.indicator.file.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`threat.indicator.file.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`threat.indicator.file.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + +*`threat.indicator.file.hash.ssdeep`*:: ++ +-- +SSDEEP hash. + +type: keyword + +-- + *`threat.indicator.file.inode`*:: + -- @@ -10828,7 +11131,85 @@ example: /home/alice/example.png *`threat.indicator.file.path.text`*:: + -- -type: text +type: match_only_text + +-- + +*`threat.indicator.file.pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + +*`threat.indicator.file.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`threat.indicator.file.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`threat.indicator.file.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`threat.indicator.file.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + +*`threat.indicator.file.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`threat.indicator.file.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System -- @@ -10856,7 +11237,7 @@ type: keyword *`threat.indicator.file.target_path.text`*:: + -- -type: text +type: match_only_text -- @@ -11017,51 +11398,6 @@ example: America/Argentina/Buenos_Aires -- -*`threat.indicator.hash.md5`*:: -+ --- -MD5 hash. - -type: keyword - --- - -*`threat.indicator.hash.sha1`*:: -+ --- -SHA1 hash. - -type: keyword - --- - -*`threat.indicator.hash.sha256`*:: -+ --- -SHA256 hash. - -type: keyword - --- - -*`threat.indicator.hash.sha512`*:: -+ --- -SHA512 hash. - -type: keyword - --- - -*`threat.indicator.hash.ssdeep`*:: -+ --- -SSDEEP hash. - -type: keyword - --- - *`threat.indicator.ip`*:: + -- @@ -11111,84 +11447,6 @@ example: 2020-11-05T17:25:47.000Z -- -*`threat.indicator.pe.architecture`*:: -+ --- -CPU architecture target for the file. - -type: keyword - -example: x64 - --- - -*`threat.indicator.pe.company`*:: -+ --- -Internal company name of the file, provided at compile-time. - -type: keyword - -example: Microsoft Corporation - --- - -*`threat.indicator.pe.description`*:: -+ --- -Internal description of the file, provided at compile-time. - -type: keyword - -example: Paint - --- - -*`threat.indicator.pe.file_version`*:: -+ --- -Internal version of the file, provided at compile-time. - -type: keyword - -example: 6.3.9600.17415 - --- - -*`threat.indicator.pe.imphash`*:: -+ --- -A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. -Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. - -type: keyword - -example: 0c6803c4e922103c4dca5963aad36ddf - --- - -*`threat.indicator.pe.original_file_name`*:: -+ --- -Internal name of the file, provided at compile-time. - -type: keyword - -example: MSPAINT.EXE - --- - -*`threat.indicator.pe.product`*:: -+ --- -Internal product name of the file, provided at compile-time. - -type: keyword - -example: Microsoft® Windows® Operating System - --- - *`threat.indicator.port`*:: + -- @@ -11240,7 +11498,7 @@ example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). -type: keyword +type: wildcard example: ["C:\rta\red_ttp\bin\myapp.exe"] @@ -11394,7 +11652,7 @@ type: keyword -- If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. -type: keyword +type: wildcard example: https://www.elastic.co:443/search?q=elasticsearch#top @@ -11403,7 +11661,7 @@ example: https://www.elastic.co:443/search?q=elasticsearch#top *`threat.indicator.url.full.text`*:: + -- -type: text +type: match_only_text -- @@ -11414,7 +11672,7 @@ Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. -type: keyword +type: wildcard example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch @@ -11423,7 +11681,7 @@ example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elas *`threat.indicator.url.original.text`*:: + -- -type: text +type: match_only_text -- @@ -11441,7 +11699,7 @@ type: keyword -- Path of the request, such as "/search". -type: keyword +type: wildcard -- @@ -11790,10 +12048,23 @@ example: 3 -- +*`threat.software.alias`*:: ++ +-- +The alias(es) of the software for a set of related intrusion activity that are tracked by a common name in the security community. +While not required, you can use a MITRE ATT&CK® associated software description. + +type: keyword + +example: [ "X-Agent" ] + +-- + *`threat.software.id`*:: + -- -The id of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software id. +The id of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. +While not required, you can use a MITRE ATT&CK® software id. type: keyword @@ -11804,7 +12075,8 @@ example: S0552 *`threat.software.name`*:: + -- -The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software name. +The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. +While not required, you can use a MITRE ATT&CK® software name. type: keyword @@ -11815,7 +12087,7 @@ example: AdFind *`threat.software.platforms`*:: + -- -The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software platforms. +The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. Recommended Values: * AWS * Azure @@ -11828,6 +12100,8 @@ Recommended Values: * SaaS * Windows +While not required, you can use a MITRE ATT&CK® software platforms. + type: keyword example: [ "Windows" ] @@ -11837,7 +12111,8 @@ example: [ "Windows" ] *`threat.software.reference`*:: + -- -The reference URL of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software reference URL. +The reference URL of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. +While not required, you can use a MITRE ATT&CK® software reference URL. type: keyword @@ -11848,11 +12123,13 @@ example: https://attack.mitre.org/software/S0552/ *`threat.software.type`*:: + -- -The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software type. +The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. Recommended values * Malware * Tool + While not required, you can use a MITRE ATT&CK® software type. + type: keyword example: Tool @@ -11917,7 +12194,7 @@ example: Command and Scripting Interpreter *`threat.technique.name.text`*:: + -- -type: text +type: match_only_text -- @@ -11957,7 +12234,7 @@ example: PowerShell *`threat.technique.subtechnique.name.text`*:: + -- -type: text +type: match_only_text -- @@ -12905,7 +13182,7 @@ type: keyword -- If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. -type: keyword +type: wildcard example: https://www.elastic.co:443/search?q=elasticsearch#top @@ -12914,7 +13191,7 @@ example: https://www.elastic.co:443/search?q=elasticsearch#top *`url.full.text`*:: + -- -type: text +type: match_only_text -- @@ -12925,7 +13202,7 @@ Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. -type: keyword +type: wildcard example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch @@ -12934,7 +13211,7 @@ example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elas *`url.original.text`*:: + -- -type: text +type: match_only_text -- @@ -12952,7 +13229,7 @@ type: keyword -- Path of the request, such as "/search". -type: keyword +type: wildcard -- @@ -13077,7 +13354,7 @@ example: Albert Einstein *`user.changes.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -13126,6 +13403,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`user.changes.name`*:: @@ -13135,14 +13414,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`user.changes.name.text`*:: + -- -type: text +type: match_only_text -- @@ -13200,7 +13479,7 @@ example: Albert Einstein *`user.effective.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -13249,6 +13528,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`user.effective.name`*:: @@ -13258,14 +13539,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`user.effective.name.text`*:: + -- -type: text +type: match_only_text -- @@ -13303,7 +13584,7 @@ example: Albert Einstein *`user.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -13352,6 +13633,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`user.name`*:: @@ -13361,14 +13644,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`user.name.text`*:: + -- -type: text +type: match_only_text -- @@ -13416,7 +13699,7 @@ example: Albert Einstein *`user.target.full_name.text`*:: + -- -type: text +type: match_only_text -- @@ -13465,6 +13748,8 @@ Unique identifier of the user. type: keyword +example: S-1-5-21-202424912787-2692429404-2351956786-1000 + -- *`user.target.name`*:: @@ -13474,14 +13759,14 @@ Short name or login of the user. type: keyword -example: albert +example: a.einstein -- *`user.target.name.text`*:: + -- -type: text +type: match_only_text -- @@ -13539,7 +13824,7 @@ example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605. *`user_agent.original.text`*:: + -- -type: text +type: match_only_text -- @@ -13568,7 +13853,7 @@ example: Mac OS Mojave *`user_agent.os.full.text`*:: + -- -type: text +type: match_only_text -- @@ -13597,7 +13882,7 @@ example: Mac OS X *`user_agent.os.name.text`*:: + -- -type: text +type: match_only_text -- @@ -13721,7 +14006,7 @@ example: In macOS before 2.12.6, there is a vulnerability in the RPC... *`vulnerability.description.text`*:: + -- -type: text +type: match_only_text -- diff --git a/x-pack/osquerybeat/include/fields.go b/x-pack/osquerybeat/include/fields.go index 5bee044da498..83dee5924063 100644 --- a/x-pack/osquerybeat/include/fields.go +++ b/x-pack/osquerybeat/include/fields.go @@ -19,5 +19,5 @@ func init() { // AssetFieldsYml returns asset data. // This is the base64 encoded zlib format compressed contents of fields.yml. func AssetFieldsYml() string { - return "" + return "" }