diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index d97f3595a5b5..e933ca3cf0c7 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -85,6 +85,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add option for S3 input to work without SQS notification {issue}18205[18205] {pull}27332[27332] - Fix Crowdstrike ingest pipeline that was creating flattened `process` fields. {issue}27622[27622] {pull}27623[27623] - Rename `log.path` to `log.file.path` in filestream to be consistent with `log` input and ECS. {pull}27761[27761] +- Removes old module name aliases (gsuite) and removing old cyberark module in favor of the new cyberarkpas{pull}27915[27915] - Only filesets that are explicitly configured will be enabled. {issue}17256[17256] {pull}27526[27526] - All filesets are disabled in the default configuration. {issue}17256[17256] {pull}27762[27762] diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 5d95c482caa9..5121f67dec7a 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -29,7 +29,6 @@ grouped in the following categories: * <> * <> * <> -* <> * <> * <> * <> @@ -40,7 +39,6 @@ grouped in the following categories: * <> * <> * <> -* <> * <> * <> * <> @@ -28790,12434 +28788,13462 @@ type: keyword -- -[[exported-fields-cyberark]] -== Cyber-Ark fields - -cyberark fields. +[[exported-fields-cyberarkpas]] +== CyberArk PAS fields +cyberarkpas fields. -*`network.interface.name`*:: -+ --- -Name of the network interface where the traffic has been observed. -type: keyword +[float] +=== audit --- +Cyberark Privileged Access Security Audit fields. -*`rsa.internal.msg`*:: +*`cyberarkpas.audit.action`*:: + -- -This key is used to capture the raw message that comes into the Log Decoder +A description of the audit record. type: keyword -- -*`rsa.internal.messageid`*:: +[float] +=== ca_properties + +Account metadata. + + +*`cyberarkpas.audit.ca_properties.address`*:: + -- type: keyword -- -*`rsa.internal.event_desc`*:: +*`cyberarkpas.audit.ca_properties.cpm_disabled`*:: + -- type: keyword -- -*`rsa.internal.message`*:: +*`cyberarkpas.audit.ca_properties.cpm_error_details`*:: + -- -This key captures the contents of instant messages - type: keyword -- -*`rsa.internal.time`*:: +*`cyberarkpas.audit.ca_properties.cpm_status`*:: + -- -This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - -type: date +type: keyword -- -*`rsa.internal.level`*:: +*`cyberarkpas.audit.ca_properties.creation_method`*:: + -- -Deprecated key defined only in table map. - -type: long +type: keyword -- -*`rsa.internal.msg_id`*:: +*`cyberarkpas.audit.ca_properties.customer`*:: + -- -This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.msg_vid`*:: +*`cyberarkpas.audit.ca_properties.database`*:: + -- -This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.data`*:: +*`cyberarkpas.audit.ca_properties.device_type`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.obj_server`*:: +*`cyberarkpas.audit.ca_properties.dual_account_status`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.obj_val`*:: +*`cyberarkpas.audit.ca_properties.group_name`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.resource`*:: +*`cyberarkpas.audit.ca_properties.in_process`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.obj_id`*:: +*`cyberarkpas.audit.ca_properties.index`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.statement`*:: +*`cyberarkpas.audit.ca_properties.last_fail_date`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.audit_class`*:: +*`cyberarkpas.audit.ca_properties.last_success_change`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.entry`*:: +*`cyberarkpas.audit.ca_properties.last_success_reconciliation`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.hcode`*:: +*`cyberarkpas.audit.ca_properties.last_success_verification`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.inode`*:: +*`cyberarkpas.audit.ca_properties.last_task`*:: + -- -Deprecated key defined only in table map. - -type: long +type: keyword -- -*`rsa.internal.resource_class`*:: +*`cyberarkpas.audit.ca_properties.logon_domain`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.dead`*:: +*`cyberarkpas.audit.ca_properties.policy_id`*:: + -- -Deprecated key defined only in table map. - -type: long +type: keyword -- -*`rsa.internal.feed_desc`*:: +*`cyberarkpas.audit.ca_properties.port`*:: + -- -This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.feed_name`*:: +*`cyberarkpas.audit.ca_properties.privcloud`*:: + -- -This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.cid`*:: +*`cyberarkpas.audit.ca_properties.reset_immediately`*:: + -- -This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.device_class`*:: +*`cyberarkpas.audit.ca_properties.retries_count`*:: + -- -This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.device_group`*:: +*`cyberarkpas.audit.ca_properties.sequence_id`*:: + -- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.device_host`*:: +*`cyberarkpas.audit.ca_properties.tags`*:: + -- -This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.device_ip`*:: +*`cyberarkpas.audit.ca_properties.user_dn`*:: + -- -This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip +type: keyword -- -*`rsa.internal.device_ipv6`*:: +*`cyberarkpas.audit.ca_properties.user_name`*:: + -- -This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip +type: keyword -- -*`rsa.internal.device_type`*:: +*`cyberarkpas.audit.ca_properties.virtual_username`*:: + -- -This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.device_type_id`*:: +*`cyberarkpas.audit.ca_properties.other`*:: + -- -Deprecated key defined only in table map. - -type: long +type: flattened -- -*`rsa.internal.did`*:: +*`cyberarkpas.audit.category`*:: + -- -This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +The category name (for category-related operations). type: keyword -- -*`rsa.internal.entropy_req`*:: +*`cyberarkpas.audit.desc`*:: + -- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration +A static value that displays a description of the audit codes. -type: long +type: keyword -- -*`rsa.internal.entropy_res`*:: +[float] +=== extra_details + +Specific extra details of the audit records. + + +*`cyberarkpas.audit.extra_details.ad_process_id`*:: + -- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - -type: long +type: keyword -- -*`rsa.internal.event_name`*:: +*`cyberarkpas.audit.extra_details.ad_process_name`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.feed_category`*:: +*`cyberarkpas.audit.extra_details.application_type`*:: + -- -This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.forward_ip`*:: +*`cyberarkpas.audit.extra_details.command`*:: + -- -This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - -type: ip +type: keyword -- -*`rsa.internal.forward_ipv6`*:: +*`cyberarkpas.audit.extra_details.connection_component_id`*:: + -- -This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip +type: keyword -- -*`rsa.internal.header_id`*:: +*`cyberarkpas.audit.extra_details.dst_host`*:: + -- -This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.lc_cid`*:: +*`cyberarkpas.audit.extra_details.logon_account`*:: + -- -This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.lc_ctime`*:: +*`cyberarkpas.audit.extra_details.managed_account`*:: + -- -This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: date +type: keyword -- -*`rsa.internal.mcb_req`*:: +*`cyberarkpas.audit.extra_details.process_id`*:: + -- -This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - -type: long +type: keyword -- -*`rsa.internal.mcb_res`*:: +*`cyberarkpas.audit.extra_details.process_name`*:: + -- -This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - -type: long +type: keyword -- -*`rsa.internal.mcbc_req`*:: +*`cyberarkpas.audit.extra_details.protocol`*:: + -- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long +type: keyword -- -*`rsa.internal.mcbc_res`*:: +*`cyberarkpas.audit.extra_details.psmid`*:: + -- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long +type: keyword -- -*`rsa.internal.medium`*:: +*`cyberarkpas.audit.extra_details.session_duration`*:: + -- -This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session - -type: long +type: keyword -- -*`rsa.internal.node_name`*:: +*`cyberarkpas.audit.extra_details.session_id`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.nwe_callback_id`*:: +*`cyberarkpas.audit.extra_details.src_host`*:: + -- -This key denotes that event is endpoint related - type: keyword -- -*`rsa.internal.parse_error`*:: +*`cyberarkpas.audit.extra_details.username`*:: + -- -This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.payload_req`*:: +*`cyberarkpas.audit.extra_details.other`*:: + -- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long +type: flattened -- -*`rsa.internal.payload_res`*:: +*`cyberarkpas.audit.file`*:: + -- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep +The name of the target file. -type: long +type: keyword -- -*`rsa.internal.process_vid_dst`*:: +*`cyberarkpas.audit.gateway_station`*:: + -- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. +The IP of the web application machine (PVWA). -type: keyword +type: ip -- -*`rsa.internal.process_vid_src`*:: +*`cyberarkpas.audit.hostname`*:: + -- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. +The hostname, in upper case. type: keyword +example: MY-COMPUTER + -- -*`rsa.internal.rid`*:: +*`cyberarkpas.audit.iso_timestamp`*:: + -- -This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +The timestamp, in ISO Timestamp format (RFC 3339). -type: long +type: date + +example: 2013-06-25 10:47:19+00:00 -- -*`rsa.internal.session_split`*:: +*`cyberarkpas.audit.issuer`*:: + -- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +The Vault user who wrote the audit. This is usually the user who performed the operation. type: keyword -- -*`rsa.internal.site`*:: +*`cyberarkpas.audit.location`*:: + -- -Deprecated key defined only in table map. +The target Location (for Location operations). type: keyword +Field is not indexed. + -- -*`rsa.internal.size`*:: +*`cyberarkpas.audit.message`*:: + -- -This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +A description of the audit records (same information as in the Desc field). -type: long +type: keyword -- -*`rsa.internal.sourcefile`*:: +*`cyberarkpas.audit.message_id`*:: + -- -This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +The code ID of the audit records. type: keyword -- -*`rsa.internal.ubc_req`*:: +*`cyberarkpas.audit.product`*:: + -- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once +A static value that represents the product. -type: long +type: keyword -- -*`rsa.internal.ubc_res`*:: +*`cyberarkpas.audit.pvwa_details`*:: + -- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once +Specific details of the PVWA audit records. -type: long +type: flattened -- -*`rsa.internal.word`*:: +*`cyberarkpas.audit.raw`*:: + -- -This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log +Raw XML for the original audit record. Only present when XSLT file has debugging enabled. + type: keyword --- +Field is not indexed. +-- -*`rsa.time.event_time`*:: +*`cyberarkpas.audit.reason`*:: + -- -This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form +The reason entered by the user. -type: date +type: text -- -*`rsa.time.duration_time`*:: +*`cyberarkpas.audit.rfc5424`*:: + -- -This key is used to capture the normalized duration/lifetime in seconds. +Whether the syslog format complies with RFC5424. -type: double +type: boolean + +example: True -- -*`rsa.time.event_time_str`*:: +*`cyberarkpas.audit.safe`*:: + -- -This key is used to capture the incomplete time mentioned in a session as a string +The name of the target Safe. type: keyword -- -*`rsa.time.starttime`*:: +*`cyberarkpas.audit.severity`*:: + -- -This key is used to capture the Start time mentioned in a session in a standard form - -type: date - --- +The severity of the audit records. -*`rsa.time.month`*:: -+ --- type: keyword -- -*`rsa.time.day`*:: +*`cyberarkpas.audit.source_user`*:: + -- +The name of the Vault user who performed the operation. + type: keyword -- -*`rsa.time.endtime`*:: +*`cyberarkpas.audit.station`*:: + -- -This key is used to capture the End time mentioned in a session in a standard form +The IP from where the operation was performed. For PVWA sessions, this will be the real client machine IP. -type: date +type: ip -- -*`rsa.time.timezone`*:: +*`cyberarkpas.audit.target_user`*:: + -- -This key is used to capture the timezone of the Event Time +The name of the Vault user on which the operation was performed. type: keyword -- -*`rsa.time.duration_str`*:: +*`cyberarkpas.audit.timestamp`*:: + -- -A text string version of the duration +The timestamp, in MMM DD HH:MM:SS format. type: keyword +example: Jun 25 10:47:19 + -- -*`rsa.time.date`*:: +*`cyberarkpas.audit.vendor`*:: + -- +A static value that represents the vendor. + type: keyword -- -*`rsa.time.year`*:: +*`cyberarkpas.audit.version`*:: + -- -type: keyword +A static value that represents the version of the Vault. --- +type: keyword -*`rsa.time.recorded_time`*:: -+ -- -The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. -type: date +[[exported-fields-cylance]] +== CylanceProtect fields --- +cylance fields. -*`rsa.time.datetime`*:: -+ --- -type: keyword --- -*`rsa.time.effective_time`*:: +*`network.interface.name`*:: + -- -This key is the effective time referenced by an individual event in a Standard Timestamp format +Name of the network interface where the traffic has been observed. -type: date --- +type: keyword -*`rsa.time.expire_time`*:: -+ -- -This key is the timestamp that explicitly refers to an expiration. -type: date --- -*`rsa.time.process_time`*:: +*`rsa.internal.msg`*:: + -- -Deprecated, use duration.time +This key is used to capture the raw message that comes into the Log Decoder type: keyword -- -*`rsa.time.hour`*:: +*`rsa.internal.messageid`*:: + -- type: keyword -- -*`rsa.time.min`*:: +*`rsa.internal.event_desc`*:: + -- type: keyword -- -*`rsa.time.timestamp`*:: +*`rsa.internal.message`*:: + -- +This key captures the contents of instant messages + type: keyword -- -*`rsa.time.event_queue_time`*:: +*`rsa.internal.time`*:: + -- -This key is the Time that the event was queued. +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. type: date -- -*`rsa.time.p_time1`*:: +*`rsa.internal.level`*:: + -- -type: keyword +Deprecated key defined only in table map. + +type: long -- -*`rsa.time.tzone`*:: +*`rsa.internal.msg_id`*:: + -- +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.time.eventtime`*:: +*`rsa.internal.msg_vid`*:: + -- +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.time.gmtdate`*:: +*`rsa.internal.data`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.time.gmttime`*:: +*`rsa.internal.obj_server`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.time.p_date`*:: +*`rsa.internal.obj_val`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.time.p_month`*:: +*`rsa.internal.resource`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.time.p_time`*:: +*`rsa.internal.obj_id`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.time.p_time2`*:: +*`rsa.internal.statement`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.time.p_year`*:: +*`rsa.internal.audit_class`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.time.expire_time_str`*:: +*`rsa.internal.entry`*:: + -- -This key is used to capture incomplete timestamp that explicitly refers to an expiration. +Deprecated key defined only in table map. type: keyword -- -*`rsa.time.stamp`*:: +*`rsa.internal.hcode`*:: + -- Deprecated key defined only in table map. -type: date +type: keyword -- - -*`rsa.misc.action`*:: +*`rsa.internal.inode`*:: + -- -type: keyword +Deprecated key defined only in table map. + +type: long -- -*`rsa.misc.result`*:: +*`rsa.internal.resource_class`*:: + -- -This key is used to capture the outcome/result string value of an action in a session. +Deprecated key defined only in table map. type: keyword -- -*`rsa.misc.severity`*:: +*`rsa.internal.dead`*:: + -- -This key is used to capture the severity given the session +Deprecated key defined only in table map. -type: keyword +type: long -- -*`rsa.misc.event_type`*:: +*`rsa.internal.feed_desc`*:: + -- -This key captures the event category type as specified by the event source. +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.reference_id`*:: +*`rsa.internal.feed_name`*:: + -- -This key is used to capture an event id from the session directly +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.version`*:: +*`rsa.internal.cid`*:: + -- -This key captures Version of the application or OS which is generating the event. +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.disposition`*:: +*`rsa.internal.device_class`*:: + -- -This key captures the The end state of an action. +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.result_code`*:: +*`rsa.internal.device_group`*:: + -- -This key is used to capture the outcome/result numeric value of an action in a session +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.category`*:: +*`rsa.internal.device_host`*:: + -- -This key is used to capture the category of an event given by the vendor in the session +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.obj_name`*:: +*`rsa.internal.device_ip`*:: + -- -This is used to capture name of object +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: ip -- -*`rsa.misc.obj_type`*:: +*`rsa.internal.device_ipv6`*:: + -- -This is used to capture type of object +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: ip -- -*`rsa.misc.event_source`*:: +*`rsa.internal.device_type`*:: + -- -This key captures Source of the event that’s not a hostname +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.log_session_id`*:: +*`rsa.internal.device_type_id`*:: + -- -This key is used to capture a sessionid from the session directly +Deprecated key defined only in table map. -type: keyword +type: long -- -*`rsa.misc.group`*:: +*`rsa.internal.did`*:: + -- -This key captures the Group Name value +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.policy_name`*:: +*`rsa.internal.entropy_req`*:: + -- -This key is used to capture the Policy Name only. +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration -type: keyword +type: long -- -*`rsa.misc.rule_name`*:: +*`rsa.internal.entropy_res`*:: + -- -This key captures the Rule Name +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration -type: keyword +type: long -- -*`rsa.misc.context`*:: +*`rsa.internal.event_name`*:: + -- -This key captures Information which adds additional context to the event. +Deprecated key defined only in table map. type: keyword -- -*`rsa.misc.change_new`*:: +*`rsa.internal.feed_category`*:: + -- -This key is used to capture the new values of the attribute that’s changing in a session +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.space`*:: +*`rsa.internal.forward_ip`*:: + -- -type: keyword +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + +type: ip -- -*`rsa.misc.client`*:: +*`rsa.internal.forward_ipv6`*:: + -- -This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: ip -- -*`rsa.misc.msgIdPart1`*:: +*`rsa.internal.header_id`*:: + -- +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.msgIdPart2`*:: +*`rsa.internal.lc_cid`*:: + -- +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.change_old`*:: +*`rsa.internal.lc_ctime`*:: + -- -This key is used to capture the old value of the attribute that’s changing in a session +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: date -- -*`rsa.misc.operation_id`*:: +*`rsa.internal.mcb_req`*:: + -- -An alert number or operation number. The values should be unique and non-repeating. +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most -type: keyword +type: long -- -*`rsa.misc.event_state`*:: +*`rsa.internal.mcb_res`*:: + -- -This key captures the current state of the object/item referenced within the event. Describing an on-going event. +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most -type: keyword +type: long -- -*`rsa.misc.group_object`*:: +*`rsa.internal.mcbc_req`*:: + -- -This key captures a collection/grouping of entities. Specific usage +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams -type: keyword +type: long -- -*`rsa.misc.node`*:: +*`rsa.internal.mcbc_res`*:: + -- -Common use case is the node name within a cluster. The cluster name is reflected by the host name. +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams -type: keyword +type: long -- -*`rsa.misc.rule`*:: +*`rsa.internal.medium`*:: + -- -This key captures the Rule number +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session -type: keyword +type: long -- -*`rsa.misc.device_name`*:: +*`rsa.internal.node_name`*:: + -- -This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc +Deprecated key defined only in table map. type: keyword -- -*`rsa.misc.param`*:: +*`rsa.internal.nwe_callback_id`*:: + -- -This key is the parameters passed as part of a command or application, etc. +This key denotes that event is endpoint related type: keyword -- -*`rsa.misc.change_attrib`*:: +*`rsa.internal.parse_error`*:: + -- -This key is used to capture the name of the attribute that’s changing in a session +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.event_computer`*:: +*`rsa.internal.payload_req`*:: + -- -This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep -type: keyword +type: long -- -*`rsa.misc.reference_id1`*:: +*`rsa.internal.payload_res`*:: + -- -This key is for Linked ID to be used as an addition to "reference.id" +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep -type: keyword +type: long -- -*`rsa.misc.event_log`*:: +*`rsa.internal.process_vid_dst`*:: + -- -This key captures the Name of the event log +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. type: keyword -- -*`rsa.misc.OS`*:: +*`rsa.internal.process_vid_src`*:: + -- -This key captures the Name of the Operating System +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. type: keyword -- -*`rsa.misc.terminal`*:: +*`rsa.internal.rid`*:: + -- -This key captures the Terminal Names only +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: long -- -*`rsa.misc.msgIdPart3`*:: +*`rsa.internal.session_split`*:: + -- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.filter`*:: +*`rsa.internal.site`*:: + -- -This key captures Filter used to reduce result set +Deprecated key defined only in table map. type: keyword -- -*`rsa.misc.serial_number`*:: +*`rsa.internal.size`*:: + -- -This key is the Serial number associated with a physical asset. +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: long -- -*`rsa.misc.checksum`*:: +*`rsa.internal.sourcefile`*:: + -- -This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.event_user`*:: +*`rsa.internal.ubc_req`*:: + -- -This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once -type: keyword +type: long -- -*`rsa.misc.virusname`*:: +*`rsa.internal.ubc_res`*:: + -- -This key captures the name of the virus +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once -type: keyword +type: long -- -*`rsa.misc.content_type`*:: +*`rsa.internal.word`*:: + -- -This key is used to capture Content Type only. +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log type: keyword -- -*`rsa.misc.group_id`*:: + +*`rsa.time.event_time`*:: + -- -This key captures Group ID Number (related to the group name) +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form -type: keyword +type: date -- -*`rsa.misc.policy_id`*:: +*`rsa.time.duration_time`*:: + -- -This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise +This key is used to capture the normalized duration/lifetime in seconds. -type: keyword +type: double -- -*`rsa.misc.vsys`*:: +*`rsa.time.event_time_str`*:: + -- -This key captures Virtual System Name +This key is used to capture the incomplete time mentioned in a session as a string type: keyword -- -*`rsa.misc.connection_id`*:: +*`rsa.time.starttime`*:: + -- -This key captures the Connection ID +This key is used to capture the Start time mentioned in a session in a standard form -type: keyword +type: date -- -*`rsa.misc.reference_id2`*:: +*`rsa.time.month`*:: + -- -This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - type: keyword -- -*`rsa.misc.sensor`*:: +*`rsa.time.day`*:: + -- -This key captures Name of the sensor. Typically used in IDS/IPS based devices - type: keyword -- -*`rsa.misc.sig_id`*:: +*`rsa.time.endtime`*:: + -- -This key captures IDS/IPS Int Signature ID +This key is used to capture the End time mentioned in a session in a standard form -type: long +type: date -- -*`rsa.misc.port_name`*:: +*`rsa.time.timezone`*:: + -- -This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). +This key is used to capture the timezone of the Event Time type: keyword -- -*`rsa.misc.rule_group`*:: +*`rsa.time.duration_str`*:: + -- -This key captures the Rule group name +A text string version of the duration type: keyword -- -*`rsa.misc.risk_num`*:: +*`rsa.time.date`*:: + -- -This key captures a Numeric Risk value - -type: double +type: keyword -- -*`rsa.misc.trigger_val`*:: +*`rsa.time.year`*:: + -- -This key captures the Value of the trigger or threshold condition. - type: keyword -- -*`rsa.misc.log_session_id1`*:: +*`rsa.time.recorded_time`*:: + -- -This key is used to capture a Linked (Related) Session ID from the session directly +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. -type: keyword +type: date -- -*`rsa.misc.comp_version`*:: +*`rsa.time.datetime`*:: + -- -This key captures the Version level of a sub-component of a product. - type: keyword -- -*`rsa.misc.content_version`*:: +*`rsa.time.effective_time`*:: + -- -This key captures Version level of a signature or database content. +This key is the effective time referenced by an individual event in a Standard Timestamp format -type: keyword +type: date -- -*`rsa.misc.hardware_id`*:: +*`rsa.time.expire_time`*:: + -- -This key is used to capture unique identifier for a device or system (NOT a Mac address) +This key is the timestamp that explicitly refers to an expiration. -type: keyword +type: date -- -*`rsa.misc.risk`*:: +*`rsa.time.process_time`*:: + -- -This key captures the non-numeric risk value +Deprecated, use duration.time type: keyword -- -*`rsa.misc.event_id`*:: +*`rsa.time.hour`*:: + -- type: keyword -- -*`rsa.misc.reason`*:: +*`rsa.time.min`*:: + -- type: keyword -- -*`rsa.misc.status`*:: +*`rsa.time.timestamp`*:: + -- type: keyword -- -*`rsa.misc.mail_id`*:: +*`rsa.time.event_queue_time`*:: + -- -This key is used to capture the mailbox id/name +This key is the Time that the event was queued. -type: keyword +type: date -- -*`rsa.misc.rule_uid`*:: +*`rsa.time.p_time1`*:: + -- -This key is the Unique Identifier for a rule. - type: keyword -- -*`rsa.misc.trigger_desc`*:: +*`rsa.time.tzone`*:: + -- -This key captures the Description of the trigger or threshold condition. - type: keyword -- -*`rsa.misc.inout`*:: +*`rsa.time.eventtime`*:: + -- type: keyword -- -*`rsa.misc.p_msgid`*:: +*`rsa.time.gmtdate`*:: + -- type: keyword -- -*`rsa.misc.data_type`*:: +*`rsa.time.gmttime`*:: + -- type: keyword -- -*`rsa.misc.msgIdPart4`*:: +*`rsa.time.p_date`*:: + -- type: keyword -- -*`rsa.misc.error`*:: +*`rsa.time.p_month`*:: + -- -This key captures All non successful Error codes or responses - type: keyword -- -*`rsa.misc.index`*:: +*`rsa.time.p_time`*:: + -- type: keyword -- -*`rsa.misc.listnum`*:: +*`rsa.time.p_time2`*:: + -- -This key is used to capture listname or listnumber, primarily for collecting access-list - type: keyword -- -*`rsa.misc.ntype`*:: +*`rsa.time.p_year`*:: + -- type: keyword -- -*`rsa.misc.observed_val`*:: +*`rsa.time.expire_time_str`*:: + -- -This key captures the Value observed (from the perspective of the device generating the log). +This key is used to capture incomplete timestamp that explicitly refers to an expiration. type: keyword -- -*`rsa.misc.policy_value`*:: +*`rsa.time.stamp`*:: + -- -This key captures the contents of the policy. This contains details about the policy +Deprecated key defined only in table map. -type: keyword +type: date -- -*`rsa.misc.pool_name`*:: + +*`rsa.misc.action`*:: + -- -This key captures the name of a resource pool - type: keyword -- -*`rsa.misc.rule_template`*:: +*`rsa.misc.result`*:: + -- -A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template +This key is used to capture the outcome/result string value of an action in a session. type: keyword -- -*`rsa.misc.count`*:: +*`rsa.misc.severity`*:: + -- +This key is used to capture the severity given the session + type: keyword -- -*`rsa.misc.number`*:: +*`rsa.misc.event_type`*:: + -- +This key captures the event category type as specified by the event source. + type: keyword -- -*`rsa.misc.sigcat`*:: +*`rsa.misc.reference_id`*:: + -- +This key is used to capture an event id from the session directly + type: keyword -- -*`rsa.misc.type`*:: +*`rsa.misc.version`*:: + -- +This key captures Version of the application or OS which is generating the event. + type: keyword -- -*`rsa.misc.comments`*:: +*`rsa.misc.disposition`*:: + -- -Comment information provided in the log message +This key captures the The end state of an action. type: keyword -- -*`rsa.misc.doc_number`*:: +*`rsa.misc.result_code`*:: + -- -This key captures File Identification number +This key is used to capture the outcome/result numeric value of an action in a session -type: long +type: keyword -- -*`rsa.misc.expected_val`*:: +*`rsa.misc.category`*:: + -- -This key captures the Value expected (from the perspective of the device generating the log). +This key is used to capture the category of an event given by the vendor in the session type: keyword -- -*`rsa.misc.job_num`*:: +*`rsa.misc.obj_name`*:: + -- -This key captures the Job Number +This is used to capture name of object type: keyword -- -*`rsa.misc.spi_dst`*:: +*`rsa.misc.obj_type`*:: + -- -Destination SPI Index +This is used to capture type of object type: keyword -- -*`rsa.misc.spi_src`*:: +*`rsa.misc.event_source`*:: + -- -Source SPI Index +This key captures Source of the event that’s not a hostname type: keyword -- -*`rsa.misc.code`*:: +*`rsa.misc.log_session_id`*:: + -- +This key is used to capture a sessionid from the session directly + type: keyword -- -*`rsa.misc.agent_id`*:: +*`rsa.misc.group`*:: + -- -This key is used to capture agent id +This key captures the Group Name value type: keyword -- -*`rsa.misc.message_body`*:: +*`rsa.misc.policy_name`*:: + -- -This key captures the The contents of the message body. +This key is used to capture the Policy Name only. type: keyword -- -*`rsa.misc.phone`*:: +*`rsa.misc.rule_name`*:: + -- +This key captures the Rule Name + type: keyword -- -*`rsa.misc.sig_id_str`*:: +*`rsa.misc.context`*:: + -- -This key captures a string object of the sigid variable. +This key captures Information which adds additional context to the event. type: keyword -- -*`rsa.misc.cmd`*:: +*`rsa.misc.change_new`*:: + -- +This key is used to capture the new values of the attribute that’s changing in a session + type: keyword -- -*`rsa.misc.misc`*:: +*`rsa.misc.space`*:: + -- type: keyword -- -*`rsa.misc.name`*:: +*`rsa.misc.client`*:: + -- +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + type: keyword -- -*`rsa.misc.cpu`*:: +*`rsa.misc.msgIdPart1`*:: + -- -This key is the CPU time used in the execution of the event being recorded. - -type: long +type: keyword -- -*`rsa.misc.event_desc`*:: +*`rsa.misc.msgIdPart2`*:: + -- -This key is used to capture a description of an event available directly or inferred - type: keyword -- -*`rsa.misc.sig_id1`*:: +*`rsa.misc.change_old`*:: + -- -This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id +This key is used to capture the old value of the attribute that’s changing in a session -type: long +type: keyword -- -*`rsa.misc.im_buddyid`*:: +*`rsa.misc.operation_id`*:: + -- +An alert number or operation number. The values should be unique and non-repeating. + type: keyword -- -*`rsa.misc.im_client`*:: +*`rsa.misc.event_state`*:: + -- +This key captures the current state of the object/item referenced within the event. Describing an on-going event. + type: keyword -- -*`rsa.misc.im_userid`*:: +*`rsa.misc.group_object`*:: + -- +This key captures a collection/grouping of entities. Specific usage + type: keyword -- -*`rsa.misc.pid`*:: +*`rsa.misc.node`*:: + -- +Common use case is the node name within a cluster. The cluster name is reflected by the host name. + type: keyword -- -*`rsa.misc.priority`*:: +*`rsa.misc.rule`*:: + -- +This key captures the Rule number + type: keyword -- -*`rsa.misc.context_subject`*:: +*`rsa.misc.device_name`*:: + -- -This key is to be used in an audit context where the subject is the object being identified +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc type: keyword -- -*`rsa.misc.context_target`*:: +*`rsa.misc.param`*:: + -- +This key is the parameters passed as part of a command or application, etc. + type: keyword -- -*`rsa.misc.cve`*:: +*`rsa.misc.change_attrib`*:: + -- -This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. +This key is used to capture the name of the attribute that’s changing in a session type: keyword -- -*`rsa.misc.fcatnum`*:: +*`rsa.misc.event_computer`*:: + -- -This key captures Filter Category Number. Legacy Usage +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. type: keyword -- -*`rsa.misc.library`*:: +*`rsa.misc.reference_id1`*:: + -- -This key is used to capture library information in mainframe devices +This key is for Linked ID to be used as an addition to "reference.id" type: keyword -- -*`rsa.misc.parent_node`*:: +*`rsa.misc.event_log`*:: + -- -This key captures the Parent Node Name. Must be related to node variable. +This key captures the Name of the event log type: keyword -- -*`rsa.misc.risk_info`*:: +*`rsa.misc.OS`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) +This key captures the Name of the Operating System type: keyword -- -*`rsa.misc.tcp_flags`*:: +*`rsa.misc.terminal`*:: + -- -This key is captures the TCP flags set in any packet of session +This key captures the Terminal Names only -type: long +type: keyword -- -*`rsa.misc.tos`*:: +*`rsa.misc.msgIdPart3`*:: + -- -This key describes the type of service - -type: long +type: keyword -- -*`rsa.misc.vm_target`*:: +*`rsa.misc.filter`*:: + -- -VMWare Target **VMWARE** only varaible. +This key captures Filter used to reduce result set type: keyword -- -*`rsa.misc.workspace`*:: +*`rsa.misc.serial_number`*:: + -- -This key captures Workspace Description +This key is the Serial number associated with a physical asset. type: keyword -- -*`rsa.misc.command`*:: +*`rsa.misc.checksum`*:: + -- +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + type: keyword -- -*`rsa.misc.event_category`*:: +*`rsa.misc.event_user`*:: + -- +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + type: keyword -- -*`rsa.misc.facilityname`*:: +*`rsa.misc.virusname`*:: + -- +This key captures the name of the virus + type: keyword -- -*`rsa.misc.forensic_info`*:: +*`rsa.misc.content_type`*:: + -- +This key is used to capture Content Type only. + type: keyword -- -*`rsa.misc.jobname`*:: +*`rsa.misc.group_id`*:: + -- +This key captures Group ID Number (related to the group name) + type: keyword -- -*`rsa.misc.mode`*:: +*`rsa.misc.policy_id`*:: + -- +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + type: keyword -- -*`rsa.misc.policy`*:: +*`rsa.misc.vsys`*:: + -- +This key captures Virtual System Name + type: keyword -- -*`rsa.misc.policy_waiver`*:: +*`rsa.misc.connection_id`*:: + -- +This key captures the Connection ID + type: keyword -- -*`rsa.misc.second`*:: +*`rsa.misc.reference_id2`*:: + -- +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + type: keyword -- -*`rsa.misc.space1`*:: +*`rsa.misc.sensor`*:: + -- +This key captures Name of the sensor. Typically used in IDS/IPS based devices + type: keyword -- -*`rsa.misc.subcategory`*:: +*`rsa.misc.sig_id`*:: + -- -type: keyword +This key captures IDS/IPS Int Signature ID + +type: long -- -*`rsa.misc.tbdstr2`*:: +*`rsa.misc.port_name`*:: + -- +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). + type: keyword -- -*`rsa.misc.alert_id`*:: +*`rsa.misc.rule_group`*:: + -- -Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) +This key captures the Rule group name type: keyword -- -*`rsa.misc.checksum_dst`*:: +*`rsa.misc.risk_num`*:: + -- -This key is used to capture the checksum or hash of the the target entity such as a process or file. +This key captures a Numeric Risk value -type: keyword +type: double -- -*`rsa.misc.checksum_src`*:: +*`rsa.misc.trigger_val`*:: + -- -This key is used to capture the checksum or hash of the source entity such as a file or process. +This key captures the Value of the trigger or threshold condition. type: keyword -- -*`rsa.misc.fresult`*:: +*`rsa.misc.log_session_id1`*:: + -- -This key captures the Filter Result +This key is used to capture a Linked (Related) Session ID from the session directly -type: long +type: keyword -- -*`rsa.misc.payload_dst`*:: +*`rsa.misc.comp_version`*:: + -- -This key is used to capture destination payload +This key captures the Version level of a sub-component of a product. type: keyword -- -*`rsa.misc.payload_src`*:: +*`rsa.misc.content_version`*:: + -- -This key is used to capture source payload +This key captures Version level of a signature or database content. type: keyword -- -*`rsa.misc.pool_id`*:: +*`rsa.misc.hardware_id`*:: + -- -This key captures the identifier (typically numeric field) of a resource pool +This key is used to capture unique identifier for a device or system (NOT a Mac address) type: keyword -- -*`rsa.misc.process_id_val`*:: +*`rsa.misc.risk`*:: + -- -This key is a failure key for Process ID when it is not an integer value +This key captures the non-numeric risk value type: keyword -- -*`rsa.misc.risk_num_comm`*:: +*`rsa.misc.event_id`*:: + -- -This key captures Risk Number Community - -type: double +type: keyword -- -*`rsa.misc.risk_num_next`*:: +*`rsa.misc.reason`*:: + -- -This key captures Risk Number NextGen - -type: double +type: keyword -- -*`rsa.misc.risk_num_sand`*:: +*`rsa.misc.status`*:: + -- -This key captures Risk Number SandBox - -type: double +type: keyword -- -*`rsa.misc.risk_num_static`*:: +*`rsa.misc.mail_id`*:: + -- -This key captures Risk Number Static +This key is used to capture the mailbox id/name -type: double +type: keyword -- -*`rsa.misc.risk_suspicious`*:: +*`rsa.misc.rule_uid`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) +This key is the Unique Identifier for a rule. type: keyword -- -*`rsa.misc.risk_warning`*:: +*`rsa.misc.trigger_desc`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) +This key captures the Description of the trigger or threshold condition. type: keyword -- -*`rsa.misc.snmp_oid`*:: +*`rsa.misc.inout`*:: + -- -SNMP Object Identifier - type: keyword -- -*`rsa.misc.sql`*:: +*`rsa.misc.p_msgid`*:: + -- -This key captures the SQL query - type: keyword -- -*`rsa.misc.vuln_ref`*:: +*`rsa.misc.data_type`*:: + -- -This key captures the Vulnerability Reference details - type: keyword -- -*`rsa.misc.acl_id`*:: +*`rsa.misc.msgIdPart4`*:: + -- type: keyword -- -*`rsa.misc.acl_op`*:: +*`rsa.misc.error`*:: + -- +This key captures All non successful Error codes or responses + type: keyword -- -*`rsa.misc.acl_pos`*:: +*`rsa.misc.index`*:: + -- type: keyword -- -*`rsa.misc.acl_table`*:: +*`rsa.misc.listnum`*:: + -- +This key is used to capture listname or listnumber, primarily for collecting access-list + type: keyword -- -*`rsa.misc.admin`*:: +*`rsa.misc.ntype`*:: + -- type: keyword -- -*`rsa.misc.alarm_id`*:: +*`rsa.misc.observed_val`*:: + -- +This key captures the Value observed (from the perspective of the device generating the log). + type: keyword -- -*`rsa.misc.alarmname`*:: +*`rsa.misc.policy_value`*:: + -- +This key captures the contents of the policy. This contains details about the policy + type: keyword -- -*`rsa.misc.app_id`*:: +*`rsa.misc.pool_name`*:: + -- +This key captures the name of a resource pool + type: keyword -- -*`rsa.misc.audit`*:: +*`rsa.misc.rule_template`*:: + -- +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + type: keyword -- -*`rsa.misc.audit_object`*:: +*`rsa.misc.count`*:: + -- type: keyword -- -*`rsa.misc.auditdata`*:: +*`rsa.misc.number`*:: + -- type: keyword -- -*`rsa.misc.benchmark`*:: +*`rsa.misc.sigcat`*:: + -- type: keyword -- -*`rsa.misc.bypass`*:: +*`rsa.misc.type`*:: + -- type: keyword -- -*`rsa.misc.cache`*:: +*`rsa.misc.comments`*:: + -- +Comment information provided in the log message + type: keyword -- -*`rsa.misc.cache_hit`*:: +*`rsa.misc.doc_number`*:: + -- -type: keyword +This key captures File Identification number + +type: long -- -*`rsa.misc.cefversion`*:: +*`rsa.misc.expected_val`*:: + -- +This key captures the Value expected (from the perspective of the device generating the log). + type: keyword -- -*`rsa.misc.cfg_attr`*:: +*`rsa.misc.job_num`*:: + -- +This key captures the Job Number + type: keyword -- -*`rsa.misc.cfg_obj`*:: +*`rsa.misc.spi_dst`*:: + -- +Destination SPI Index + type: keyword -- -*`rsa.misc.cfg_path`*:: +*`rsa.misc.spi_src`*:: + -- +Source SPI Index + type: keyword -- -*`rsa.misc.changes`*:: +*`rsa.misc.code`*:: + -- type: keyword -- -*`rsa.misc.client_ip`*:: +*`rsa.misc.agent_id`*:: + -- +This key is used to capture agent id + type: keyword -- -*`rsa.misc.clustermembers`*:: +*`rsa.misc.message_body`*:: + -- +This key captures the The contents of the message body. + type: keyword -- -*`rsa.misc.cn_acttimeout`*:: +*`rsa.misc.phone`*:: + -- type: keyword -- -*`rsa.misc.cn_asn_src`*:: +*`rsa.misc.sig_id_str`*:: + -- +This key captures a string object of the sigid variable. + type: keyword -- -*`rsa.misc.cn_bgpv4nxthop`*:: +*`rsa.misc.cmd`*:: + -- type: keyword -- -*`rsa.misc.cn_ctr_dst_code`*:: +*`rsa.misc.misc`*:: + -- type: keyword -- -*`rsa.misc.cn_dst_tos`*:: +*`rsa.misc.name`*:: + -- type: keyword -- -*`rsa.misc.cn_dst_vlan`*:: +*`rsa.misc.cpu`*:: + -- -type: keyword +This key is the CPU time used in the execution of the event being recorded. + +type: long -- -*`rsa.misc.cn_engine_id`*:: +*`rsa.misc.event_desc`*:: + -- +This key is used to capture a description of an event available directly or inferred + type: keyword -- -*`rsa.misc.cn_engine_type`*:: +*`rsa.misc.sig_id1`*:: + -- -type: keyword +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + +type: long -- -*`rsa.misc.cn_f_switch`*:: +*`rsa.misc.im_buddyid`*:: + -- type: keyword -- -*`rsa.misc.cn_flowsampid`*:: +*`rsa.misc.im_client`*:: + -- type: keyword -- -*`rsa.misc.cn_flowsampintv`*:: +*`rsa.misc.im_userid`*:: + -- type: keyword -- -*`rsa.misc.cn_flowsampmode`*:: +*`rsa.misc.pid`*:: + -- type: keyword -- -*`rsa.misc.cn_inacttimeout`*:: +*`rsa.misc.priority`*:: + -- type: keyword -- -*`rsa.misc.cn_inpermbyts`*:: +*`rsa.misc.context_subject`*:: + -- +This key is to be used in an audit context where the subject is the object being identified + type: keyword -- -*`rsa.misc.cn_inpermpckts`*:: +*`rsa.misc.context_target`*:: + -- type: keyword -- -*`rsa.misc.cn_invalid`*:: +*`rsa.misc.cve`*:: + -- +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + type: keyword -- -*`rsa.misc.cn_ip_proto_ver`*:: +*`rsa.misc.fcatnum`*:: + -- +This key captures Filter Category Number. Legacy Usage + type: keyword -- -*`rsa.misc.cn_ipv4_ident`*:: +*`rsa.misc.library`*:: + -- +This key is used to capture library information in mainframe devices + type: keyword -- -*`rsa.misc.cn_l_switch`*:: +*`rsa.misc.parent_node`*:: + -- +This key captures the Parent Node Name. Must be related to node variable. + type: keyword -- -*`rsa.misc.cn_log_did`*:: +*`rsa.misc.risk_info`*:: + -- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + type: keyword -- -*`rsa.misc.cn_log_rid`*:: +*`rsa.misc.tcp_flags`*:: + -- -type: keyword +This key is captures the TCP flags set in any packet of session + +type: long -- -*`rsa.misc.cn_max_ttl`*:: +*`rsa.misc.tos`*:: + -- -type: keyword +This key describes the type of service + +type: long -- -*`rsa.misc.cn_maxpcktlen`*:: +*`rsa.misc.vm_target`*:: + -- +VMWare Target **VMWARE** only varaible. + type: keyword -- -*`rsa.misc.cn_min_ttl`*:: +*`rsa.misc.workspace`*:: + -- +This key captures Workspace Description + type: keyword -- -*`rsa.misc.cn_minpcktlen`*:: +*`rsa.misc.command`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_1`*:: +*`rsa.misc.event_category`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_10`*:: +*`rsa.misc.facilityname`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_2`*:: +*`rsa.misc.forensic_info`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_3`*:: +*`rsa.misc.jobname`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_4`*:: +*`rsa.misc.mode`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_5`*:: +*`rsa.misc.policy`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_6`*:: +*`rsa.misc.policy_waiver`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_7`*:: +*`rsa.misc.second`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_8`*:: +*`rsa.misc.space1`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_9`*:: +*`rsa.misc.subcategory`*:: + -- type: keyword -- -*`rsa.misc.cn_mplstoplabel`*:: +*`rsa.misc.tbdstr2`*:: + -- type: keyword -- -*`rsa.misc.cn_mplstoplabip`*:: +*`rsa.misc.alert_id`*:: + -- +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + type: keyword -- -*`rsa.misc.cn_mul_dst_byt`*:: +*`rsa.misc.checksum_dst`*:: + -- +This key is used to capture the checksum or hash of the the target entity such as a process or file. + type: keyword -- -*`rsa.misc.cn_mul_dst_pks`*:: +*`rsa.misc.checksum_src`*:: + -- +This key is used to capture the checksum or hash of the source entity such as a file or process. + type: keyword -- -*`rsa.misc.cn_muligmptype`*:: +*`rsa.misc.fresult`*:: + -- -type: keyword +This key captures the Filter Result + +type: long -- -*`rsa.misc.cn_sampalgo`*:: +*`rsa.misc.payload_dst`*:: + -- +This key is used to capture destination payload + type: keyword -- -*`rsa.misc.cn_sampint`*:: +*`rsa.misc.payload_src`*:: + -- +This key is used to capture source payload + type: keyword -- -*`rsa.misc.cn_seqctr`*:: +*`rsa.misc.pool_id`*:: + -- +This key captures the identifier (typically numeric field) of a resource pool + type: keyword -- -*`rsa.misc.cn_spackets`*:: +*`rsa.misc.process_id_val`*:: + -- +This key is a failure key for Process ID when it is not an integer value + type: keyword -- -*`rsa.misc.cn_src_tos`*:: +*`rsa.misc.risk_num_comm`*:: + -- -type: keyword +This key captures Risk Number Community + +type: double -- -*`rsa.misc.cn_src_vlan`*:: +*`rsa.misc.risk_num_next`*:: + -- -type: keyword +This key captures Risk Number NextGen + +type: double -- -*`rsa.misc.cn_sysuptime`*:: +*`rsa.misc.risk_num_sand`*:: + -- -type: keyword +This key captures Risk Number SandBox + +type: double -- -*`rsa.misc.cn_template_id`*:: +*`rsa.misc.risk_num_static`*:: + -- -type: keyword +This key captures Risk Number Static + +type: double -- -*`rsa.misc.cn_totbytsexp`*:: +*`rsa.misc.risk_suspicious`*:: + -- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + type: keyword -- -*`rsa.misc.cn_totflowexp`*:: +*`rsa.misc.risk_warning`*:: + -- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + type: keyword -- -*`rsa.misc.cn_totpcktsexp`*:: +*`rsa.misc.snmp_oid`*:: + -- +SNMP Object Identifier + type: keyword -- -*`rsa.misc.cn_unixnanosecs`*:: +*`rsa.misc.sql`*:: + -- +This key captures the SQL query + type: keyword -- -*`rsa.misc.cn_v6flowlabel`*:: +*`rsa.misc.vuln_ref`*:: + -- +This key captures the Vulnerability Reference details + type: keyword -- -*`rsa.misc.cn_v6optheaders`*:: +*`rsa.misc.acl_id`*:: + -- type: keyword -- -*`rsa.misc.comp_class`*:: +*`rsa.misc.acl_op`*:: + -- type: keyword -- -*`rsa.misc.comp_name`*:: +*`rsa.misc.acl_pos`*:: + -- type: keyword -- -*`rsa.misc.comp_rbytes`*:: +*`rsa.misc.acl_table`*:: + -- type: keyword -- -*`rsa.misc.comp_sbytes`*:: +*`rsa.misc.admin`*:: + -- type: keyword -- -*`rsa.misc.cpu_data`*:: +*`rsa.misc.alarm_id`*:: + -- type: keyword -- -*`rsa.misc.criticality`*:: +*`rsa.misc.alarmname`*:: + -- type: keyword -- -*`rsa.misc.cs_agency_dst`*:: +*`rsa.misc.app_id`*:: + -- type: keyword -- -*`rsa.misc.cs_analyzedby`*:: +*`rsa.misc.audit`*:: + -- type: keyword -- -*`rsa.misc.cs_av_other`*:: +*`rsa.misc.audit_object`*:: + -- type: keyword -- -*`rsa.misc.cs_av_primary`*:: +*`rsa.misc.auditdata`*:: + -- type: keyword -- -*`rsa.misc.cs_av_secondary`*:: +*`rsa.misc.benchmark`*:: + -- type: keyword -- -*`rsa.misc.cs_bgpv6nxthop`*:: +*`rsa.misc.bypass`*:: + -- type: keyword -- -*`rsa.misc.cs_bit9status`*:: +*`rsa.misc.cache`*:: + -- type: keyword -- -*`rsa.misc.cs_context`*:: +*`rsa.misc.cache_hit`*:: + -- type: keyword -- -*`rsa.misc.cs_control`*:: +*`rsa.misc.cefversion`*:: + -- type: keyword -- -*`rsa.misc.cs_data`*:: +*`rsa.misc.cfg_attr`*:: + -- type: keyword -- -*`rsa.misc.cs_datecret`*:: +*`rsa.misc.cfg_obj`*:: + -- type: keyword -- -*`rsa.misc.cs_dst_tld`*:: +*`rsa.misc.cfg_path`*:: + -- type: keyword -- -*`rsa.misc.cs_eth_dst_ven`*:: +*`rsa.misc.changes`*:: + -- type: keyword -- -*`rsa.misc.cs_eth_src_ven`*:: +*`rsa.misc.client_ip`*:: + -- type: keyword -- -*`rsa.misc.cs_event_uuid`*:: +*`rsa.misc.clustermembers`*:: + -- type: keyword -- -*`rsa.misc.cs_filetype`*:: +*`rsa.misc.cn_acttimeout`*:: + -- type: keyword -- -*`rsa.misc.cs_fld`*:: +*`rsa.misc.cn_asn_src`*:: + -- type: keyword -- -*`rsa.misc.cs_if_desc`*:: +*`rsa.misc.cn_bgpv4nxthop`*:: + -- type: keyword -- -*`rsa.misc.cs_if_name`*:: +*`rsa.misc.cn_ctr_dst_code`*:: + -- type: keyword -- -*`rsa.misc.cs_ip_next_hop`*:: +*`rsa.misc.cn_dst_tos`*:: + -- type: keyword -- -*`rsa.misc.cs_ipv4dstpre`*:: +*`rsa.misc.cn_dst_vlan`*:: + -- type: keyword -- -*`rsa.misc.cs_ipv4srcpre`*:: +*`rsa.misc.cn_engine_id`*:: + -- type: keyword -- -*`rsa.misc.cs_lifetime`*:: +*`rsa.misc.cn_engine_type`*:: + -- type: keyword -- -*`rsa.misc.cs_log_medium`*:: +*`rsa.misc.cn_f_switch`*:: + -- type: keyword -- -*`rsa.misc.cs_loginname`*:: +*`rsa.misc.cn_flowsampid`*:: + -- type: keyword -- -*`rsa.misc.cs_modulescore`*:: +*`rsa.misc.cn_flowsampintv`*:: + -- type: keyword -- -*`rsa.misc.cs_modulesign`*:: +*`rsa.misc.cn_flowsampmode`*:: + -- type: keyword -- -*`rsa.misc.cs_opswatresult`*:: +*`rsa.misc.cn_inacttimeout`*:: + -- type: keyword -- -*`rsa.misc.cs_payload`*:: +*`rsa.misc.cn_inpermbyts`*:: + -- type: keyword -- -*`rsa.misc.cs_registrant`*:: +*`rsa.misc.cn_inpermpckts`*:: + -- type: keyword -- -*`rsa.misc.cs_registrar`*:: +*`rsa.misc.cn_invalid`*:: + -- type: keyword -- -*`rsa.misc.cs_represult`*:: +*`rsa.misc.cn_ip_proto_ver`*:: + -- type: keyword -- -*`rsa.misc.cs_rpayload`*:: +*`rsa.misc.cn_ipv4_ident`*:: + -- type: keyword -- -*`rsa.misc.cs_sampler_name`*:: +*`rsa.misc.cn_l_switch`*:: + -- type: keyword -- -*`rsa.misc.cs_sourcemodule`*:: +*`rsa.misc.cn_log_did`*:: + -- type: keyword -- -*`rsa.misc.cs_streams`*:: +*`rsa.misc.cn_log_rid`*:: + -- type: keyword -- -*`rsa.misc.cs_targetmodule`*:: +*`rsa.misc.cn_max_ttl`*:: + -- type: keyword -- -*`rsa.misc.cs_v6nxthop`*:: +*`rsa.misc.cn_maxpcktlen`*:: + -- type: keyword -- -*`rsa.misc.cs_whois_server`*:: +*`rsa.misc.cn_min_ttl`*:: + -- type: keyword -- -*`rsa.misc.cs_yararesult`*:: +*`rsa.misc.cn_minpcktlen`*:: + -- type: keyword -- -*`rsa.misc.description`*:: +*`rsa.misc.cn_mpls_lbl_1`*:: + -- type: keyword -- -*`rsa.misc.devvendor`*:: +*`rsa.misc.cn_mpls_lbl_10`*:: + -- type: keyword -- -*`rsa.misc.distance`*:: +*`rsa.misc.cn_mpls_lbl_2`*:: + -- type: keyword -- -*`rsa.misc.dstburb`*:: +*`rsa.misc.cn_mpls_lbl_3`*:: + -- type: keyword -- -*`rsa.misc.edomain`*:: +*`rsa.misc.cn_mpls_lbl_4`*:: + -- type: keyword -- -*`rsa.misc.edomaub`*:: +*`rsa.misc.cn_mpls_lbl_5`*:: + -- type: keyword -- -*`rsa.misc.euid`*:: +*`rsa.misc.cn_mpls_lbl_6`*:: + -- type: keyword -- -*`rsa.misc.facility`*:: +*`rsa.misc.cn_mpls_lbl_7`*:: + -- type: keyword -- -*`rsa.misc.finterface`*:: +*`rsa.misc.cn_mpls_lbl_8`*:: + -- type: keyword -- -*`rsa.misc.flags`*:: +*`rsa.misc.cn_mpls_lbl_9`*:: + -- type: keyword -- -*`rsa.misc.gaddr`*:: +*`rsa.misc.cn_mplstoplabel`*:: + -- type: keyword -- -*`rsa.misc.id3`*:: +*`rsa.misc.cn_mplstoplabip`*:: + -- type: keyword -- -*`rsa.misc.im_buddyname`*:: +*`rsa.misc.cn_mul_dst_byt`*:: + -- type: keyword -- -*`rsa.misc.im_croomid`*:: +*`rsa.misc.cn_mul_dst_pks`*:: + -- type: keyword -- -*`rsa.misc.im_croomtype`*:: +*`rsa.misc.cn_muligmptype`*:: + -- type: keyword -- -*`rsa.misc.im_members`*:: +*`rsa.misc.cn_sampalgo`*:: + -- type: keyword -- -*`rsa.misc.im_username`*:: +*`rsa.misc.cn_sampint`*:: + -- type: keyword -- -*`rsa.misc.ipkt`*:: +*`rsa.misc.cn_seqctr`*:: + -- type: keyword -- -*`rsa.misc.ipscat`*:: +*`rsa.misc.cn_spackets`*:: + -- type: keyword -- -*`rsa.misc.ipspri`*:: +*`rsa.misc.cn_src_tos`*:: + -- type: keyword -- -*`rsa.misc.latitude`*:: +*`rsa.misc.cn_src_vlan`*:: + -- type: keyword -- -*`rsa.misc.linenum`*:: +*`rsa.misc.cn_sysuptime`*:: + -- type: keyword -- -*`rsa.misc.list_name`*:: +*`rsa.misc.cn_template_id`*:: + -- type: keyword -- -*`rsa.misc.load_data`*:: +*`rsa.misc.cn_totbytsexp`*:: + -- type: keyword -- -*`rsa.misc.location_floor`*:: +*`rsa.misc.cn_totflowexp`*:: + -- type: keyword -- -*`rsa.misc.location_mark`*:: +*`rsa.misc.cn_totpcktsexp`*:: + -- type: keyword -- -*`rsa.misc.log_id`*:: +*`rsa.misc.cn_unixnanosecs`*:: + -- type: keyword -- -*`rsa.misc.log_type`*:: +*`rsa.misc.cn_v6flowlabel`*:: + -- type: keyword -- -*`rsa.misc.logid`*:: +*`rsa.misc.cn_v6optheaders`*:: + -- type: keyword -- -*`rsa.misc.logip`*:: +*`rsa.misc.comp_class`*:: + -- type: keyword -- -*`rsa.misc.logname`*:: +*`rsa.misc.comp_name`*:: + -- type: keyword -- -*`rsa.misc.longitude`*:: +*`rsa.misc.comp_rbytes`*:: + -- type: keyword -- -*`rsa.misc.lport`*:: +*`rsa.misc.comp_sbytes`*:: + -- type: keyword -- -*`rsa.misc.mbug_data`*:: +*`rsa.misc.cpu_data`*:: + -- type: keyword -- -*`rsa.misc.misc_name`*:: +*`rsa.misc.criticality`*:: + -- type: keyword -- -*`rsa.misc.msg_type`*:: +*`rsa.misc.cs_agency_dst`*:: + -- type: keyword -- -*`rsa.misc.msgid`*:: +*`rsa.misc.cs_analyzedby`*:: + -- type: keyword -- -*`rsa.misc.netsessid`*:: +*`rsa.misc.cs_av_other`*:: + -- type: keyword -- -*`rsa.misc.num`*:: +*`rsa.misc.cs_av_primary`*:: + -- type: keyword -- -*`rsa.misc.number1`*:: +*`rsa.misc.cs_av_secondary`*:: + -- type: keyword -- -*`rsa.misc.number2`*:: +*`rsa.misc.cs_bgpv6nxthop`*:: + -- type: keyword -- -*`rsa.misc.nwwn`*:: +*`rsa.misc.cs_bit9status`*:: + -- type: keyword -- -*`rsa.misc.object`*:: +*`rsa.misc.cs_context`*:: + -- type: keyword -- -*`rsa.misc.operation`*:: +*`rsa.misc.cs_control`*:: + -- type: keyword -- -*`rsa.misc.opkt`*:: +*`rsa.misc.cs_data`*:: + -- type: keyword -- -*`rsa.misc.orig_from`*:: +*`rsa.misc.cs_datecret`*:: + -- type: keyword -- -*`rsa.misc.owner_id`*:: +*`rsa.misc.cs_dst_tld`*:: + -- type: keyword -- -*`rsa.misc.p_action`*:: +*`rsa.misc.cs_eth_dst_ven`*:: + -- type: keyword -- -*`rsa.misc.p_filter`*:: +*`rsa.misc.cs_eth_src_ven`*:: + -- type: keyword -- -*`rsa.misc.p_group_object`*:: +*`rsa.misc.cs_event_uuid`*:: + -- type: keyword -- -*`rsa.misc.p_id`*:: +*`rsa.misc.cs_filetype`*:: + -- type: keyword -- -*`rsa.misc.p_msgid1`*:: +*`rsa.misc.cs_fld`*:: + -- type: keyword -- -*`rsa.misc.p_msgid2`*:: +*`rsa.misc.cs_if_desc`*:: + -- type: keyword -- -*`rsa.misc.p_result1`*:: +*`rsa.misc.cs_if_name`*:: + -- type: keyword -- -*`rsa.misc.password_chg`*:: +*`rsa.misc.cs_ip_next_hop`*:: + -- type: keyword -- -*`rsa.misc.password_expire`*:: +*`rsa.misc.cs_ipv4dstpre`*:: + -- type: keyword -- -*`rsa.misc.permgranted`*:: +*`rsa.misc.cs_ipv4srcpre`*:: + -- type: keyword -- -*`rsa.misc.permwanted`*:: +*`rsa.misc.cs_lifetime`*:: + -- type: keyword -- -*`rsa.misc.pgid`*:: +*`rsa.misc.cs_log_medium`*:: + -- type: keyword -- -*`rsa.misc.policyUUID`*:: +*`rsa.misc.cs_loginname`*:: + -- type: keyword -- -*`rsa.misc.prog_asp_num`*:: +*`rsa.misc.cs_modulescore`*:: + -- type: keyword -- -*`rsa.misc.program`*:: +*`rsa.misc.cs_modulesign`*:: + -- type: keyword -- -*`rsa.misc.real_data`*:: +*`rsa.misc.cs_opswatresult`*:: + -- type: keyword -- -*`rsa.misc.rec_asp_device`*:: +*`rsa.misc.cs_payload`*:: + -- type: keyword -- -*`rsa.misc.rec_asp_num`*:: +*`rsa.misc.cs_registrant`*:: + -- type: keyword -- -*`rsa.misc.rec_library`*:: +*`rsa.misc.cs_registrar`*:: + -- type: keyword -- -*`rsa.misc.recordnum`*:: +*`rsa.misc.cs_represult`*:: + -- type: keyword -- -*`rsa.misc.ruid`*:: +*`rsa.misc.cs_rpayload`*:: + -- type: keyword -- -*`rsa.misc.sburb`*:: +*`rsa.misc.cs_sampler_name`*:: + -- type: keyword -- -*`rsa.misc.sdomain_fld`*:: +*`rsa.misc.cs_sourcemodule`*:: + -- type: keyword -- -*`rsa.misc.sec`*:: +*`rsa.misc.cs_streams`*:: + -- type: keyword -- -*`rsa.misc.sensorname`*:: +*`rsa.misc.cs_targetmodule`*:: + -- type: keyword -- -*`rsa.misc.seqnum`*:: +*`rsa.misc.cs_v6nxthop`*:: + -- type: keyword -- -*`rsa.misc.session`*:: +*`rsa.misc.cs_whois_server`*:: + -- type: keyword -- -*`rsa.misc.sessiontype`*:: +*`rsa.misc.cs_yararesult`*:: + -- type: keyword -- -*`rsa.misc.sigUUID`*:: +*`rsa.misc.description`*:: + -- type: keyword -- -*`rsa.misc.spi`*:: +*`rsa.misc.devvendor`*:: + -- type: keyword -- -*`rsa.misc.srcburb`*:: +*`rsa.misc.distance`*:: + -- type: keyword -- -*`rsa.misc.srcdom`*:: +*`rsa.misc.dstburb`*:: + -- type: keyword -- -*`rsa.misc.srcservice`*:: +*`rsa.misc.edomain`*:: + -- type: keyword -- -*`rsa.misc.state`*:: +*`rsa.misc.edomaub`*:: + -- type: keyword -- -*`rsa.misc.status1`*:: +*`rsa.misc.euid`*:: + -- type: keyword -- -*`rsa.misc.svcno`*:: +*`rsa.misc.facility`*:: + -- type: keyword -- -*`rsa.misc.system`*:: +*`rsa.misc.finterface`*:: + -- type: keyword -- -*`rsa.misc.tbdstr1`*:: +*`rsa.misc.flags`*:: + -- type: keyword -- -*`rsa.misc.tgtdom`*:: +*`rsa.misc.gaddr`*:: + -- type: keyword -- -*`rsa.misc.tgtdomain`*:: +*`rsa.misc.id3`*:: + -- type: keyword -- -*`rsa.misc.threshold`*:: +*`rsa.misc.im_buddyname`*:: + -- type: keyword -- -*`rsa.misc.type1`*:: +*`rsa.misc.im_croomid`*:: + -- type: keyword -- -*`rsa.misc.udb_class`*:: +*`rsa.misc.im_croomtype`*:: + -- type: keyword -- -*`rsa.misc.url_fld`*:: +*`rsa.misc.im_members`*:: + -- type: keyword -- -*`rsa.misc.user_div`*:: +*`rsa.misc.im_username`*:: + -- type: keyword -- -*`rsa.misc.userid`*:: +*`rsa.misc.ipkt`*:: + -- type: keyword -- -*`rsa.misc.username_fld`*:: +*`rsa.misc.ipscat`*:: + -- type: keyword -- -*`rsa.misc.utcstamp`*:: +*`rsa.misc.ipspri`*:: + -- type: keyword -- -*`rsa.misc.v_instafname`*:: +*`rsa.misc.latitude`*:: + -- type: keyword -- -*`rsa.misc.virt_data`*:: +*`rsa.misc.linenum`*:: + -- type: keyword -- -*`rsa.misc.vpnid`*:: +*`rsa.misc.list_name`*:: + -- type: keyword -- -*`rsa.misc.autorun_type`*:: +*`rsa.misc.load_data`*:: + -- -This is used to capture Auto Run type - type: keyword -- -*`rsa.misc.cc_number`*:: -+ --- -Valid Credit Card Numbers only - -type: long - --- - -*`rsa.misc.content`*:: +*`rsa.misc.location_floor`*:: + -- -This key captures the content type from protocol headers - type: keyword -- -*`rsa.misc.ein_number`*:: +*`rsa.misc.location_mark`*:: + -- -Employee Identification Numbers only - -type: long +type: keyword -- -*`rsa.misc.found`*:: +*`rsa.misc.log_id`*:: + -- -This is used to capture the results of regex match - type: keyword -- -*`rsa.misc.language`*:: +*`rsa.misc.log_type`*:: + -- -This is used to capture list of languages the client support and what it prefers - type: keyword -- -*`rsa.misc.lifetime`*:: +*`rsa.misc.logid`*:: + -- -This key is used to capture the session lifetime in seconds. - -type: long +type: keyword -- -*`rsa.misc.link`*:: +*`rsa.misc.logip`*:: + -- -This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.misc.match`*:: +*`rsa.misc.logname`*:: + -- -This key is for regex match name from search.ini - type: keyword -- -*`rsa.misc.param_dst`*:: +*`rsa.misc.longitude`*:: + -- -This key captures the command line/launch argument of the target process or file - type: keyword -- -*`rsa.misc.param_src`*:: +*`rsa.misc.lport`*:: + -- -This key captures source parameter - type: keyword -- -*`rsa.misc.search_text`*:: +*`rsa.misc.mbug_data`*:: + -- -This key captures the Search Text used - type: keyword -- -*`rsa.misc.sig_name`*:: +*`rsa.misc.misc_name`*:: + -- -This key is used to capture the Signature Name only. - type: keyword -- -*`rsa.misc.snmp_value`*:: +*`rsa.misc.msg_type`*:: + -- -SNMP set request value - type: keyword -- -*`rsa.misc.streams`*:: +*`rsa.misc.msgid`*:: + -- -This key captures number of streams in session - -type: long +type: keyword -- - -*`rsa.db.index`*:: +*`rsa.misc.netsessid`*:: + -- -This key captures IndexID of the index. - type: keyword -- -*`rsa.db.instance`*:: +*`rsa.misc.num`*:: + -- -This key is used to capture the database server instance name - type: keyword -- -*`rsa.db.database`*:: +*`rsa.misc.number1`*:: + -- -This key is used to capture the name of a database or an instance as seen in a session - type: keyword -- -*`rsa.db.transact_id`*:: +*`rsa.misc.number2`*:: + -- -This key captures the SQL transantion ID of the current session - type: keyword -- -*`rsa.db.permissions`*:: +*`rsa.misc.nwwn`*:: + -- -This key captures permission or privilege level assigned to a resource. - type: keyword -- -*`rsa.db.table_name`*:: +*`rsa.misc.object`*:: + -- -This key is used to capture the table name - type: keyword -- -*`rsa.db.db_id`*:: +*`rsa.misc.operation`*:: + -- -This key is used to capture the unique identifier for a database - type: keyword -- -*`rsa.db.db_pid`*:: +*`rsa.misc.opkt`*:: + -- -This key captures the process id of a connection with database server - -type: long +type: keyword -- -*`rsa.db.lread`*:: +*`rsa.misc.orig_from`*:: + -- -This key is used for the number of logical reads - -type: long +type: keyword -- -*`rsa.db.lwrite`*:: +*`rsa.misc.owner_id`*:: + -- -This key is used for the number of logical writes - -type: long +type: keyword -- -*`rsa.db.pread`*:: +*`rsa.misc.p_action`*:: + -- -This key is used for the number of physical writes - -type: long +type: keyword -- - -*`rsa.network.alias_host`*:: +*`rsa.misc.p_filter`*:: + -- -This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - type: keyword -- -*`rsa.network.domain`*:: +*`rsa.misc.p_group_object`*:: + -- type: keyword -- -*`rsa.network.host_dst`*:: +*`rsa.misc.p_id`*:: + -- -This key should only be used when it’s a Destination Hostname - type: keyword -- -*`rsa.network.network_service`*:: +*`rsa.misc.p_msgid1`*:: + -- -This is used to capture layer 7 protocols/service names - type: keyword -- -*`rsa.network.interface`*:: +*`rsa.misc.p_msgid2`*:: + -- -This key should be used when the source or destination context of an interface is not clear - type: keyword -- -*`rsa.network.network_port`*:: +*`rsa.misc.p_result1`*:: + -- -Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) - -type: long +type: keyword -- -*`rsa.network.eth_host`*:: +*`rsa.misc.password_chg`*:: + -- -Deprecated, use alias.mac - type: keyword -- -*`rsa.network.sinterface`*:: +*`rsa.misc.password_expire`*:: + -- -This key should only be used when it’s a Source Interface - type: keyword -- -*`rsa.network.dinterface`*:: +*`rsa.misc.permgranted`*:: + -- -This key should only be used when it’s a Destination Interface - type: keyword -- -*`rsa.network.vlan`*:: +*`rsa.misc.permwanted`*:: + -- -This key should only be used to capture the ID of the Virtual LAN - -type: long +type: keyword -- -*`rsa.network.zone_src`*:: +*`rsa.misc.pgid`*:: + -- -This key should only be used when it’s a Source Zone. - type: keyword -- -*`rsa.network.zone`*:: +*`rsa.misc.policyUUID`*:: + -- -This key should be used when the source or destination context of a Zone is not clear - type: keyword -- -*`rsa.network.zone_dst`*:: +*`rsa.misc.prog_asp_num`*:: + -- -This key should only be used when it’s a Destination Zone. - type: keyword -- -*`rsa.network.gateway`*:: +*`rsa.misc.program`*:: + -- -This key is used to capture the IP Address of the gateway - type: keyword -- -*`rsa.network.icmp_type`*:: +*`rsa.misc.real_data`*:: + -- -This key is used to capture the ICMP type only - -type: long +type: keyword -- -*`rsa.network.mask`*:: +*`rsa.misc.rec_asp_device`*:: + -- -This key is used to capture the device network IPmask. - type: keyword -- -*`rsa.network.icmp_code`*:: +*`rsa.misc.rec_asp_num`*:: + -- -This key is used to capture the ICMP code only - -type: long +type: keyword -- -*`rsa.network.protocol_detail`*:: +*`rsa.misc.rec_library`*:: + -- -This key should be used to capture additional protocol information - type: keyword -- -*`rsa.network.dmask`*:: +*`rsa.misc.recordnum`*:: + -- -This key is used for Destionation Device network mask - type: keyword -- -*`rsa.network.port`*:: +*`rsa.misc.ruid`*:: + -- -This key should only be used to capture a Network Port when the directionality is not clear - -type: long +type: keyword -- -*`rsa.network.smask`*:: +*`rsa.misc.sburb`*:: + -- -This key is used for capturing source Network Mask - type: keyword -- -*`rsa.network.netname`*:: +*`rsa.misc.sdomain_fld`*:: + -- -This key is used to capture the network name associated with an IP range. This is configured by the end user. - type: keyword -- -*`rsa.network.paddr`*:: +*`rsa.misc.sec`*:: + -- -Deprecated - -type: ip +type: keyword -- -*`rsa.network.faddr`*:: +*`rsa.misc.sensorname`*:: + -- type: keyword -- -*`rsa.network.lhost`*:: +*`rsa.misc.seqnum`*:: + -- type: keyword -- -*`rsa.network.origin`*:: +*`rsa.misc.session`*:: + -- type: keyword -- -*`rsa.network.remote_domain_id`*:: +*`rsa.misc.sessiontype`*:: + -- type: keyword -- -*`rsa.network.addr`*:: +*`rsa.misc.sigUUID`*:: + -- type: keyword -- -*`rsa.network.dns_a_record`*:: +*`rsa.misc.spi`*:: + -- type: keyword -- -*`rsa.network.dns_ptr_record`*:: +*`rsa.misc.srcburb`*:: + -- type: keyword -- -*`rsa.network.fhost`*:: +*`rsa.misc.srcdom`*:: + -- type: keyword -- -*`rsa.network.fport`*:: +*`rsa.misc.srcservice`*:: + -- type: keyword -- -*`rsa.network.laddr`*:: +*`rsa.misc.state`*:: + -- type: keyword -- -*`rsa.network.linterface`*:: +*`rsa.misc.status1`*:: + -- type: keyword -- -*`rsa.network.phost`*:: +*`rsa.misc.svcno`*:: + -- type: keyword -- -*`rsa.network.ad_computer_dst`*:: +*`rsa.misc.system`*:: + -- -Deprecated, use host.dst - type: keyword -- -*`rsa.network.eth_type`*:: +*`rsa.misc.tbdstr1`*:: + -- -This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - -type: long +type: keyword -- -*`rsa.network.ip_proto`*:: +*`rsa.misc.tgtdom`*:: + -- -This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - -type: long +type: keyword -- -*`rsa.network.dns_cname_record`*:: +*`rsa.misc.tgtdomain`*:: + -- type: keyword -- -*`rsa.network.dns_id`*:: +*`rsa.misc.threshold`*:: + -- type: keyword -- -*`rsa.network.dns_opcode`*:: +*`rsa.misc.type1`*:: + -- type: keyword -- -*`rsa.network.dns_resp`*:: +*`rsa.misc.udb_class`*:: + -- type: keyword -- -*`rsa.network.dns_type`*:: +*`rsa.misc.url_fld`*:: + -- type: keyword -- -*`rsa.network.domain1`*:: +*`rsa.misc.user_div`*:: + -- type: keyword -- -*`rsa.network.host_type`*:: +*`rsa.misc.userid`*:: + -- type: keyword -- -*`rsa.network.packet_length`*:: +*`rsa.misc.username_fld`*:: + -- type: keyword -- -*`rsa.network.host_orig`*:: +*`rsa.misc.utcstamp`*:: + -- -This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - type: keyword -- -*`rsa.network.rpayload`*:: +*`rsa.misc.v_instafname`*:: + -- -This key is used to capture the total number of payload bytes seen in the retransmitted packets. - type: keyword -- -*`rsa.network.vlan_name`*:: +*`rsa.misc.virt_data`*:: + -- -This key should only be used to capture the name of the Virtual LAN - type: keyword -- - -*`rsa.investigations.ec_activity`*:: +*`rsa.misc.vpnid`*:: + -- -This key captures the particular event activity(Ex:Logoff) - type: keyword -- -*`rsa.investigations.ec_theme`*:: +*`rsa.misc.autorun_type`*:: + -- -This key captures the Theme of a particular Event(Ex:Authentication) +This is used to capture Auto Run type type: keyword -- -*`rsa.investigations.ec_subject`*:: +*`rsa.misc.cc_number`*:: + -- -This key captures the Subject of a particular Event(Ex:User) +Valid Credit Card Numbers only -type: keyword +type: long -- -*`rsa.investigations.ec_outcome`*:: +*`rsa.misc.content`*:: + -- -This key captures the outcome of a particular Event(Ex:Success) +This key captures the content type from protocol headers type: keyword -- -*`rsa.investigations.event_cat`*:: +*`rsa.misc.ein_number`*:: + -- -This key captures the Event category number +Employee Identification Numbers only type: long -- -*`rsa.investigations.event_cat_name`*:: +*`rsa.misc.found`*:: + -- -This key captures the event category name corresponding to the event cat code +This is used to capture the results of regex match type: keyword -- -*`rsa.investigations.event_vcat`*:: +*`rsa.misc.language`*:: + -- -This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. +This is used to capture list of languages the client support and what it prefers type: keyword -- -*`rsa.investigations.analysis_file`*:: +*`rsa.misc.lifetime`*:: + -- -This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file +This key is used to capture the session lifetime in seconds. -type: keyword +type: long -- -*`rsa.investigations.analysis_service`*:: +*`rsa.misc.link`*:: + -- -This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.investigations.analysis_session`*:: +*`rsa.misc.match`*:: + -- -This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session +This key is for regex match name from search.ini type: keyword -- -*`rsa.investigations.boc`*:: +*`rsa.misc.param_dst`*:: + -- -This is used to capture behaviour of compromise +This key captures the command line/launch argument of the target process or file type: keyword -- -*`rsa.investigations.eoc`*:: +*`rsa.misc.param_src`*:: + -- -This is used to capture Enablers of Compromise +This key captures source parameter type: keyword -- -*`rsa.investigations.inv_category`*:: +*`rsa.misc.search_text`*:: + -- -This used to capture investigation category +This key captures the Search Text used type: keyword -- -*`rsa.investigations.inv_context`*:: +*`rsa.misc.sig_name`*:: + -- -This used to capture investigation context +This key is used to capture the Signature Name only. type: keyword -- -*`rsa.investigations.ioc`*:: +*`rsa.misc.snmp_value`*:: + -- -This is key capture indicator of compromise +SNMP set request value type: keyword -- - -*`rsa.counters.dclass_c1`*:: +*`rsa.misc.streams`*:: + -- -This is a generic counter key that should be used with the label dclass.c1.str only +This key captures number of streams in session type: long -- -*`rsa.counters.dclass_c2`*:: + +*`rsa.db.index`*:: + -- -This is a generic counter key that should be used with the label dclass.c2.str only +This key captures IndexID of the index. -type: long +type: keyword -- -*`rsa.counters.event_counter`*:: +*`rsa.db.instance`*:: + -- -This is used to capture the number of times an event repeated +This key is used to capture the database server instance name -type: long +type: keyword -- -*`rsa.counters.dclass_r1`*:: +*`rsa.db.database`*:: + -- -This is a generic ratio key that should be used with the label dclass.r1.str only +This key is used to capture the name of a database or an instance as seen in a session type: keyword -- -*`rsa.counters.dclass_c3`*:: +*`rsa.db.transact_id`*:: + -- -This is a generic counter key that should be used with the label dclass.c3.str only +This key captures the SQL transantion ID of the current session -type: long +type: keyword -- -*`rsa.counters.dclass_c1_str`*:: +*`rsa.db.permissions`*:: + -- -This is a generic counter string key that should be used with the label dclass.c1 only +This key captures permission or privilege level assigned to a resource. type: keyword -- -*`rsa.counters.dclass_c2_str`*:: +*`rsa.db.table_name`*:: + -- -This is a generic counter string key that should be used with the label dclass.c2 only +This key is used to capture the table name type: keyword -- -*`rsa.counters.dclass_r1_str`*:: +*`rsa.db.db_id`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r1 only +This key is used to capture the unique identifier for a database type: keyword -- -*`rsa.counters.dclass_r2`*:: +*`rsa.db.db_pid`*:: + -- -This is a generic ratio key that should be used with the label dclass.r2.str only +This key captures the process id of a connection with database server -type: keyword +type: long -- -*`rsa.counters.dclass_c3_str`*:: +*`rsa.db.lread`*:: + -- -This is a generic counter string key that should be used with the label dclass.c3 only +This key is used for the number of logical reads -type: keyword +type: long -- -*`rsa.counters.dclass_r3`*:: +*`rsa.db.lwrite`*:: + -- -This is a generic ratio key that should be used with the label dclass.r3.str only +This key is used for the number of logical writes -type: keyword +type: long -- -*`rsa.counters.dclass_r2_str`*:: +*`rsa.db.pread`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r2 only +This key is used for the number of physical writes -type: keyword +type: long -- -*`rsa.counters.dclass_r3_str`*:: + +*`rsa.network.alias_host`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r3 only +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. type: keyword -- - -*`rsa.identity.auth_method`*:: +*`rsa.network.domain`*:: + -- -This key is used to capture authentication methods used only - type: keyword -- -*`rsa.identity.user_role`*:: +*`rsa.network.host_dst`*:: + -- -This key is used to capture the Role of a user only +This key should only be used when it’s a Destination Hostname type: keyword -- -*`rsa.identity.dn`*:: +*`rsa.network.network_service`*:: + -- -X.500 (LDAP) Distinguished Name +This is used to capture layer 7 protocols/service names type: keyword -- -*`rsa.identity.logon_type`*:: +*`rsa.network.interface`*:: + -- -This key is used to capture the type of logon method used. +This key should be used when the source or destination context of an interface is not clear type: keyword -- -*`rsa.identity.profile`*:: +*`rsa.network.network_port`*:: + -- -This key is used to capture the user profile +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) -type: keyword +type: long -- -*`rsa.identity.accesses`*:: +*`rsa.network.eth_host`*:: + -- -This key is used to capture actual privileges used in accessing an object +Deprecated, use alias.mac type: keyword -- -*`rsa.identity.realm`*:: +*`rsa.network.sinterface`*:: + -- -Radius realm or similar grouping of accounts +This key should only be used when it’s a Source Interface type: keyword -- -*`rsa.identity.user_sid_dst`*:: +*`rsa.network.dinterface`*:: + -- -This key captures Destination User Session ID +This key should only be used when it’s a Destination Interface type: keyword -- -*`rsa.identity.dn_src`*:: +*`rsa.network.vlan`*:: + -- -An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn +This key should only be used to capture the ID of the Virtual LAN -type: keyword +type: long -- -*`rsa.identity.org`*:: +*`rsa.network.zone_src`*:: + -- -This key captures the User organization +This key should only be used when it’s a Source Zone. type: keyword -- -*`rsa.identity.dn_dst`*:: +*`rsa.network.zone`*:: + -- -An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn +This key should be used when the source or destination context of a Zone is not clear type: keyword -- -*`rsa.identity.firstname`*:: +*`rsa.network.zone_dst`*:: + -- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information +This key should only be used when it’s a Destination Zone. type: keyword -- -*`rsa.identity.lastname`*:: +*`rsa.network.gateway`*:: + -- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information +This key is used to capture the IP Address of the gateway type: keyword -- -*`rsa.identity.user_dept`*:: +*`rsa.network.icmp_type`*:: + -- -User's Department Names only +This key is used to capture the ICMP type only -type: keyword +type: long -- -*`rsa.identity.user_sid_src`*:: +*`rsa.network.mask`*:: + -- -This key captures Source User Session ID +This key is used to capture the device network IPmask. type: keyword -- -*`rsa.identity.federated_sp`*:: +*`rsa.network.icmp_code`*:: + -- -This key is the Federated Service Provider. This is the application requesting authentication. +This key is used to capture the ICMP code only -type: keyword +type: long -- -*`rsa.identity.federated_idp`*:: +*`rsa.network.protocol_detail`*:: + -- -This key is the federated Identity Provider. This is the server providing the authentication. +This key should be used to capture additional protocol information type: keyword -- -*`rsa.identity.logon_type_desc`*:: +*`rsa.network.dmask`*:: + -- -This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. +This key is used for Destionation Device network mask type: keyword -- -*`rsa.identity.middlename`*:: +*`rsa.network.port`*:: + -- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information +This key should only be used to capture a Network Port when the directionality is not clear -type: keyword +type: long -- -*`rsa.identity.password`*:: +*`rsa.network.smask`*:: + -- -This key is for Passwords seen in any session, plain text or encrypted +This key is used for capturing source Network Mask type: keyword -- -*`rsa.identity.host_role`*:: +*`rsa.network.netname`*:: + -- -This key should only be used to capture the role of a Host Machine +This key is used to capture the network name associated with an IP range. This is configured by the end user. type: keyword -- -*`rsa.identity.ldap`*:: +*`rsa.network.paddr`*:: + -- -This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context +Deprecated -type: keyword +type: ip -- -*`rsa.identity.ldap_query`*:: +*`rsa.network.faddr`*:: + -- -This key is the Search criteria from an LDAP search - type: keyword -- -*`rsa.identity.ldap_response`*:: +*`rsa.network.lhost`*:: + -- -This key is to capture Results from an LDAP search - type: keyword -- -*`rsa.identity.owner`*:: +*`rsa.network.origin`*:: + -- -This is used to capture username the process or service is running as, the author of the task - type: keyword -- -*`rsa.identity.service_account`*:: +*`rsa.network.remote_domain_id`*:: + -- -This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - type: keyword -- - -*`rsa.email.email_dst`*:: +*`rsa.network.addr`*:: + -- -This key is used to capture the Destination email address only, when the destination context is not clear use email - type: keyword -- -*`rsa.email.email_src`*:: +*`rsa.network.dns_a_record`*:: + -- -This key is used to capture the source email address only, when the source context is not clear use email - type: keyword -- -*`rsa.email.subject`*:: +*`rsa.network.dns_ptr_record`*:: + -- -This key is used to capture the subject string from an Email only. - type: keyword -- -*`rsa.email.email`*:: +*`rsa.network.fhost`*:: + -- -This key is used to capture a generic email address where the source or destination context is not clear - type: keyword -- -*`rsa.email.trans_from`*:: +*`rsa.network.fport`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.email.trans_to`*:: +*`rsa.network.laddr`*:: + -- -Deprecated key defined only in table map. - type: keyword -- - -*`rsa.file.privilege`*:: +*`rsa.network.linterface`*:: + -- -Deprecated, use permissions - type: keyword -- -*`rsa.file.attachment`*:: +*`rsa.network.phost`*:: + -- -This key captures the attachment file name - type: keyword -- -*`rsa.file.filesystem`*:: +*`rsa.network.ad_computer_dst`*:: + -- +Deprecated, use host.dst + type: keyword -- -*`rsa.file.binary`*:: +*`rsa.network.eth_type`*:: + -- -Deprecated key defined only in table map. +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only -type: keyword +type: long -- -*`rsa.file.filename_dst`*:: +*`rsa.network.ip_proto`*:: + -- -This is used to capture name of the file targeted by the action +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI -type: keyword +type: long -- -*`rsa.file.filename_src`*:: +*`rsa.network.dns_cname_record`*:: + -- -This is used to capture name of the parent filename, the file which performed the action - type: keyword -- -*`rsa.file.filename_tmp`*:: +*`rsa.network.dns_id`*:: + -- type: keyword -- -*`rsa.file.directory_dst`*:: +*`rsa.network.dns_opcode`*:: + -- -This key is used to capture the directory of the target process or file - type: keyword -- -*`rsa.file.directory_src`*:: +*`rsa.network.dns_resp`*:: + -- -This key is used to capture the directory of the source process or file - type: keyword -- -*`rsa.file.file_entropy`*:: +*`rsa.network.dns_type`*:: + -- -This is used to capture entropy vale of a file - -type: double +type: keyword -- -*`rsa.file.file_vendor`*:: +*`rsa.network.domain1`*:: + -- -This is used to capture Company name of file located in version_info - type: keyword -- -*`rsa.file.task_name`*:: +*`rsa.network.host_type`*:: + -- -This is used to capture name of the task - type: keyword -- - -*`rsa.web.fqdn`*:: +*`rsa.network.packet_length`*:: + -- -Fully Qualified Domain Names - type: keyword -- -*`rsa.web.web_cookie`*:: +*`rsa.network.host_orig`*:: + -- -This key is used to capture the Web cookies specifically. +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. type: keyword -- -*`rsa.web.alias_host`*:: +*`rsa.network.rpayload`*:: + -- +This key is used to capture the total number of payload bytes seen in the retransmitted packets. + type: keyword -- -*`rsa.web.reputation_num`*:: +*`rsa.network.vlan_name`*:: + -- -Reputation Number of an entity. Typically used for Web Domains +This key should only be used to capture the name of the Virtual LAN -type: double +type: keyword -- -*`rsa.web.web_ref_domain`*:: + +*`rsa.investigations.ec_activity`*:: + -- -Web referer's domain +This key captures the particular event activity(Ex:Logoff) type: keyword -- -*`rsa.web.web_ref_query`*:: +*`rsa.investigations.ec_theme`*:: + -- -This key captures Web referer's query portion of the URL +This key captures the Theme of a particular Event(Ex:Authentication) type: keyword -- -*`rsa.web.remote_domain`*:: +*`rsa.investigations.ec_subject`*:: + -- +This key captures the Subject of a particular Event(Ex:User) + type: keyword -- -*`rsa.web.web_ref_page`*:: +*`rsa.investigations.ec_outcome`*:: + -- -This key captures Web referer's page information +This key captures the outcome of a particular Event(Ex:Success) type: keyword -- -*`rsa.web.web_ref_root`*:: +*`rsa.investigations.event_cat`*:: + -- -Web referer's root URL path +This key captures the Event category number -type: keyword +type: long -- -*`rsa.web.cn_asn_dst`*:: +*`rsa.investigations.event_cat_name`*:: + -- +This key captures the event category name corresponding to the event cat code + type: keyword -- -*`rsa.web.cn_rpackets`*:: +*`rsa.investigations.event_vcat`*:: + -- +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + type: keyword -- -*`rsa.web.urlpage`*:: +*`rsa.investigations.analysis_file`*:: + -- +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + type: keyword -- -*`rsa.web.urlroot`*:: +*`rsa.investigations.analysis_service`*:: + -- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + type: keyword -- -*`rsa.web.p_url`*:: +*`rsa.investigations.analysis_session`*:: + -- +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + type: keyword -- -*`rsa.web.p_user_agent`*:: +*`rsa.investigations.boc`*:: + -- +This is used to capture behaviour of compromise + type: keyword -- -*`rsa.web.p_web_cookie`*:: +*`rsa.investigations.eoc`*:: + -- +This is used to capture Enablers of Compromise + type: keyword -- -*`rsa.web.p_web_method`*:: +*`rsa.investigations.inv_category`*:: + -- +This used to capture investigation category + type: keyword -- -*`rsa.web.p_web_referer`*:: +*`rsa.investigations.inv_context`*:: + -- +This used to capture investigation context + type: keyword -- -*`rsa.web.web_extension_tmp`*:: +*`rsa.investigations.ioc`*:: + -- +This is key capture indicator of compromise + type: keyword -- -*`rsa.web.web_page`*:: + +*`rsa.counters.dclass_c1`*:: + -- -type: keyword +This is a generic counter key that should be used with the label dclass.c1.str only --- +type: long +-- -*`rsa.threat.threat_category`*:: +*`rsa.counters.dclass_c2`*:: + -- -This key captures Threat Name/Threat Category/Categorization of alert +This is a generic counter key that should be used with the label dclass.c2.str only -type: keyword +type: long -- -*`rsa.threat.threat_desc`*:: +*`rsa.counters.event_counter`*:: + -- -This key is used to capture the threat description from the session directly or inferred +This is used to capture the number of times an event repeated -type: keyword +type: long -- -*`rsa.threat.alert`*:: +*`rsa.counters.dclass_r1`*:: + -- -This key is used to capture name of the alert +This is a generic ratio key that should be used with the label dclass.r1.str only type: keyword -- -*`rsa.threat.threat_source`*:: +*`rsa.counters.dclass_c3`*:: + -- -This key is used to capture source of the threat +This is a generic counter key that should be used with the label dclass.c3.str only -type: keyword +type: long -- - -*`rsa.crypto.crypto`*:: +*`rsa.counters.dclass_c1_str`*:: + -- -This key is used to capture the Encryption Type or Encryption Key only +This is a generic counter string key that should be used with the label dclass.c1 only type: keyword -- -*`rsa.crypto.cipher_src`*:: +*`rsa.counters.dclass_c2_str`*:: + -- -This key is for Source (Client) Cipher +This is a generic counter string key that should be used with the label dclass.c2 only type: keyword -- -*`rsa.crypto.cert_subject`*:: +*`rsa.counters.dclass_r1_str`*:: + -- -This key is used to capture the Certificate organization only +This is a generic ratio string key that should be used with the label dclass.r1 only type: keyword -- -*`rsa.crypto.peer`*:: +*`rsa.counters.dclass_r2`*:: + -- -This key is for Encryption peer's IP Address +This is a generic ratio key that should be used with the label dclass.r2.str only type: keyword -- -*`rsa.crypto.cipher_size_src`*:: +*`rsa.counters.dclass_c3_str`*:: + -- -This key captures Source (Client) Cipher Size +This is a generic counter string key that should be used with the label dclass.c3 only -type: long +type: keyword -- -*`rsa.crypto.ike`*:: +*`rsa.counters.dclass_r3`*:: + -- -IKE negotiation phase. +This is a generic ratio key that should be used with the label dclass.r3.str only type: keyword -- -*`rsa.crypto.scheme`*:: +*`rsa.counters.dclass_r2_str`*:: + -- -This key captures the Encryption scheme used +This is a generic ratio string key that should be used with the label dclass.r2 only type: keyword -- -*`rsa.crypto.peer_id`*:: +*`rsa.counters.dclass_r3_str`*:: + -- -This key is for Encryption peer’s identity +This is a generic ratio string key that should be used with the label dclass.r3 only type: keyword -- -*`rsa.crypto.sig_type`*:: + +*`rsa.identity.auth_method`*:: + -- -This key captures the Signature Type +This key is used to capture authentication methods used only type: keyword -- -*`rsa.crypto.cert_issuer`*:: +*`rsa.identity.user_role`*:: + -- +This key is used to capture the Role of a user only + type: keyword -- -*`rsa.crypto.cert_host_name`*:: +*`rsa.identity.dn`*:: + -- -Deprecated key defined only in table map. +X.500 (LDAP) Distinguished Name type: keyword -- -*`rsa.crypto.cert_error`*:: +*`rsa.identity.logon_type`*:: + -- -This key captures the Certificate Error String +This key is used to capture the type of logon method used. type: keyword -- -*`rsa.crypto.cipher_dst`*:: +*`rsa.identity.profile`*:: + -- -This key is for Destination (Server) Cipher +This key is used to capture the user profile type: keyword -- -*`rsa.crypto.cipher_size_dst`*:: +*`rsa.identity.accesses`*:: + -- -This key captures Destination (Server) Cipher Size +This key is used to capture actual privileges used in accessing an object -type: long +type: keyword -- -*`rsa.crypto.ssl_ver_src`*:: +*`rsa.identity.realm`*:: + -- -Deprecated, use version +Radius realm or similar grouping of accounts type: keyword -- -*`rsa.crypto.d_certauth`*:: +*`rsa.identity.user_sid_dst`*:: + -- +This key captures Destination User Session ID + type: keyword -- -*`rsa.crypto.s_certauth`*:: +*`rsa.identity.dn_src`*:: + -- +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + type: keyword -- -*`rsa.crypto.ike_cookie1`*:: +*`rsa.identity.org`*:: + -- -ID of the negotiation — sent for ISAKMP Phase One +This key captures the User organization type: keyword -- -*`rsa.crypto.ike_cookie2`*:: +*`rsa.identity.dn_dst`*:: + -- -ID of the negotiation — sent for ISAKMP Phase Two +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn type: keyword -- -*`rsa.crypto.cert_checksum`*:: +*`rsa.identity.firstname`*:: + -- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`rsa.crypto.cert_host_cat`*:: +*`rsa.identity.lastname`*:: + -- -This key is used for the hostname category value of a certificate +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`rsa.crypto.cert_serial`*:: +*`rsa.identity.user_dept`*:: + -- -This key is used to capture the Certificate serial number only +User's Department Names only type: keyword -- -*`rsa.crypto.cert_status`*:: +*`rsa.identity.user_sid_src`*:: + -- -This key captures Certificate validation status +This key captures Source User Session ID type: keyword -- -*`rsa.crypto.ssl_ver_dst`*:: +*`rsa.identity.federated_sp`*:: + -- -Deprecated, use version +This key is the Federated Service Provider. This is the application requesting authentication. type: keyword -- -*`rsa.crypto.cert_keysize`*:: +*`rsa.identity.federated_idp`*:: + -- +This key is the federated Identity Provider. This is the server providing the authentication. + type: keyword -- -*`rsa.crypto.cert_username`*:: +*`rsa.identity.logon_type_desc`*:: + -- +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + type: keyword -- -*`rsa.crypto.https_insact`*:: +*`rsa.identity.middlename`*:: + -- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`rsa.crypto.https_valid`*:: +*`rsa.identity.password`*:: + -- +This key is for Passwords seen in any session, plain text or encrypted + type: keyword -- -*`rsa.crypto.cert_ca`*:: +*`rsa.identity.host_role`*:: + -- -This key is used to capture the Certificate signing authority only +This key should only be used to capture the role of a Host Machine type: keyword -- -*`rsa.crypto.cert_common`*:: +*`rsa.identity.ldap`*:: + -- -This key is used to capture the Certificate common name only +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context type: keyword -- - -*`rsa.wireless.wlan_ssid`*:: +*`rsa.identity.ldap_query`*:: + -- -This key is used to capture the ssid of a Wireless Session +This key is the Search criteria from an LDAP search type: keyword -- -*`rsa.wireless.access_point`*:: +*`rsa.identity.ldap_response`*:: + -- -This key is used to capture the access point name. +This key is to capture Results from an LDAP search type: keyword -- -*`rsa.wireless.wlan_channel`*:: +*`rsa.identity.owner`*:: + -- -This is used to capture the channel names +This is used to capture username the process or service is running as, the author of the task -type: long +type: keyword -- -*`rsa.wireless.wlan_name`*:: +*`rsa.identity.service_account`*:: + -- -This key captures either WLAN number/name +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage type: keyword -- -*`rsa.storage.disk_volume`*:: +*`rsa.email.email_dst`*:: + -- -A unique name assigned to logical units (volumes) within a physical disk +This key is used to capture the Destination email address only, when the destination context is not clear use email type: keyword -- -*`rsa.storage.lun`*:: +*`rsa.email.email_src`*:: + -- -Logical Unit Number.This key is a very useful concept in Storage. +This key is used to capture the source email address only, when the source context is not clear use email type: keyword -- -*`rsa.storage.pwwn`*:: +*`rsa.email.subject`*:: + -- -This uniquely identifies a port on a HBA. +This key is used to capture the subject string from an Email only. type: keyword -- - -*`rsa.physical.org_dst`*:: +*`rsa.email.email`*:: + -- -This is used to capture the destination organization based on the GEOPIP Maxmind database. +This key is used to capture a generic email address where the source or destination context is not clear type: keyword -- -*`rsa.physical.org_src`*:: +*`rsa.email.trans_from`*:: + -- -This is used to capture the source organization based on the GEOPIP Maxmind database. +Deprecated key defined only in table map. type: keyword -- - -*`rsa.healthcare.patient_fname`*:: +*`rsa.email.trans_to`*:: + -- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information +Deprecated key defined only in table map. type: keyword -- -*`rsa.healthcare.patient_id`*:: + +*`rsa.file.privilege`*:: + -- -This key captures the unique ID for a patient +Deprecated, use permissions type: keyword -- -*`rsa.healthcare.patient_lname`*:: +*`rsa.file.attachment`*:: + -- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information +This key captures the attachment file name type: keyword -- -*`rsa.healthcare.patient_mname`*:: +*`rsa.file.filesystem`*:: + -- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - type: keyword -- - -*`rsa.endpoint.host_state`*:: +*`rsa.file.binary`*:: + -- -This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on +Deprecated key defined only in table map. type: keyword -- -*`rsa.endpoint.registry_key`*:: +*`rsa.file.filename_dst`*:: + -- -This key captures the path to the registry key +This is used to capture name of the file targeted by the action type: keyword -- -*`rsa.endpoint.registry_value`*:: +*`rsa.file.filename_src`*:: + -- -This key captures values or decorators used within a registry entry +This is used to capture name of the parent filename, the file which performed the action type: keyword -- -[[exported-fields-cyberarkpas]] -== CyberArk PAS fields - -cyberarkpas fields. - - - - -[float] -=== audit - -Cyberark Privileged Access Security Audit fields. - - - -*`cyberarkpas.audit.action`*:: +*`rsa.file.filename_tmp`*:: + -- -A description of the audit record. - type: keyword -- -[float] -=== ca_properties - -Account metadata. - - -*`cyberarkpas.audit.ca_properties.address`*:: +*`rsa.file.directory_dst`*:: + -- +This key is used to capture the directory of the target process or file + type: keyword -- -*`cyberarkpas.audit.ca_properties.cpm_disabled`*:: +*`rsa.file.directory_src`*:: + -- +This key is used to capture the directory of the source process or file + type: keyword -- -*`cyberarkpas.audit.ca_properties.cpm_error_details`*:: +*`rsa.file.file_entropy`*:: + -- -type: keyword +This is used to capture entropy vale of a file + +type: double -- -*`cyberarkpas.audit.ca_properties.cpm_status`*:: +*`rsa.file.file_vendor`*:: + -- +This is used to capture Company name of file located in version_info + type: keyword -- -*`cyberarkpas.audit.ca_properties.creation_method`*:: +*`rsa.file.task_name`*:: + -- +This is used to capture name of the task + type: keyword -- -*`cyberarkpas.audit.ca_properties.customer`*:: + +*`rsa.web.fqdn`*:: + -- +Fully Qualified Domain Names + type: keyword -- -*`cyberarkpas.audit.ca_properties.database`*:: +*`rsa.web.web_cookie`*:: + -- +This key is used to capture the Web cookies specifically. + type: keyword -- -*`cyberarkpas.audit.ca_properties.device_type`*:: +*`rsa.web.alias_host`*:: + -- type: keyword -- -*`cyberarkpas.audit.ca_properties.dual_account_status`*:: +*`rsa.web.reputation_num`*:: + -- -type: keyword +Reputation Number of an entity. Typically used for Web Domains + +type: double -- -*`cyberarkpas.audit.ca_properties.group_name`*:: +*`rsa.web.web_ref_domain`*:: + -- +Web referer's domain + type: keyword -- -*`cyberarkpas.audit.ca_properties.in_process`*:: +*`rsa.web.web_ref_query`*:: + -- +This key captures Web referer's query portion of the URL + type: keyword -- -*`cyberarkpas.audit.ca_properties.index`*:: +*`rsa.web.remote_domain`*:: + -- type: keyword -- -*`cyberarkpas.audit.ca_properties.last_fail_date`*:: +*`rsa.web.web_ref_page`*:: + -- +This key captures Web referer's page information + type: keyword -- -*`cyberarkpas.audit.ca_properties.last_success_change`*:: +*`rsa.web.web_ref_root`*:: + -- +Web referer's root URL path + type: keyword -- -*`cyberarkpas.audit.ca_properties.last_success_reconciliation`*:: +*`rsa.web.cn_asn_dst`*:: + -- type: keyword -- -*`cyberarkpas.audit.ca_properties.last_success_verification`*:: +*`rsa.web.cn_rpackets`*:: + -- type: keyword -- -*`cyberarkpas.audit.ca_properties.last_task`*:: +*`rsa.web.urlpage`*:: + -- type: keyword -- -*`cyberarkpas.audit.ca_properties.logon_domain`*:: +*`rsa.web.urlroot`*:: + -- type: keyword -- -*`cyberarkpas.audit.ca_properties.policy_id`*:: +*`rsa.web.p_url`*:: + -- type: keyword -- -*`cyberarkpas.audit.ca_properties.port`*:: +*`rsa.web.p_user_agent`*:: + -- type: keyword -- -*`cyberarkpas.audit.ca_properties.privcloud`*:: +*`rsa.web.p_web_cookie`*:: + -- type: keyword -- -*`cyberarkpas.audit.ca_properties.reset_immediately`*:: +*`rsa.web.p_web_method`*:: + -- type: keyword -- -*`cyberarkpas.audit.ca_properties.retries_count`*:: +*`rsa.web.p_web_referer`*:: + -- type: keyword -- -*`cyberarkpas.audit.ca_properties.sequence_id`*:: +*`rsa.web.web_extension_tmp`*:: + -- type: keyword -- -*`cyberarkpas.audit.ca_properties.tags`*:: +*`rsa.web.web_page`*:: + -- type: keyword -- -*`cyberarkpas.audit.ca_properties.user_dn`*:: + +*`rsa.threat.threat_category`*:: + -- +This key captures Threat Name/Threat Category/Categorization of alert + type: keyword -- -*`cyberarkpas.audit.ca_properties.user_name`*:: +*`rsa.threat.threat_desc`*:: + -- +This key is used to capture the threat description from the session directly or inferred + type: keyword -- -*`cyberarkpas.audit.ca_properties.virtual_username`*:: +*`rsa.threat.alert`*:: + -- +This key is used to capture name of the alert + type: keyword -- -*`cyberarkpas.audit.ca_properties.other`*:: +*`rsa.threat.threat_source`*:: + -- -type: flattened +This key is used to capture source of the threat + +type: keyword -- -*`cyberarkpas.audit.category`*:: + +*`rsa.crypto.crypto`*:: + -- -The category name (for category-related operations). +This key is used to capture the Encryption Type or Encryption Key only type: keyword -- -*`cyberarkpas.audit.desc`*:: +*`rsa.crypto.cipher_src`*:: + -- -A static value that displays a description of the audit codes. +This key is for Source (Client) Cipher type: keyword -- -[float] -=== extra_details +*`rsa.crypto.cert_subject`*:: ++ +-- +This key is used to capture the Certificate organization only -Specific extra details of the audit records. +type: keyword +-- -*`cyberarkpas.audit.extra_details.ad_process_id`*:: +*`rsa.crypto.peer`*:: + -- +This key is for Encryption peer's IP Address + type: keyword -- -*`cyberarkpas.audit.extra_details.ad_process_name`*:: +*`rsa.crypto.cipher_size_src`*:: + -- -type: keyword +This key captures Source (Client) Cipher Size + +type: long -- -*`cyberarkpas.audit.extra_details.application_type`*:: +*`rsa.crypto.ike`*:: + -- +IKE negotiation phase. + type: keyword -- -*`cyberarkpas.audit.extra_details.command`*:: +*`rsa.crypto.scheme`*:: + -- +This key captures the Encryption scheme used + type: keyword -- -*`cyberarkpas.audit.extra_details.connection_component_id`*:: +*`rsa.crypto.peer_id`*:: + -- +This key is for Encryption peer’s identity + type: keyword -- -*`cyberarkpas.audit.extra_details.dst_host`*:: +*`rsa.crypto.sig_type`*:: + -- +This key captures the Signature Type + type: keyword -- -*`cyberarkpas.audit.extra_details.logon_account`*:: +*`rsa.crypto.cert_issuer`*:: + -- type: keyword -- -*`cyberarkpas.audit.extra_details.managed_account`*:: +*`rsa.crypto.cert_host_name`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`cyberarkpas.audit.extra_details.process_id`*:: +*`rsa.crypto.cert_error`*:: + -- +This key captures the Certificate Error String + type: keyword -- -*`cyberarkpas.audit.extra_details.process_name`*:: +*`rsa.crypto.cipher_dst`*:: + -- +This key is for Destination (Server) Cipher + type: keyword -- -*`cyberarkpas.audit.extra_details.protocol`*:: +*`rsa.crypto.cipher_size_dst`*:: + -- -type: keyword +This key captures Destination (Server) Cipher Size + +type: long -- -*`cyberarkpas.audit.extra_details.psmid`*:: +*`rsa.crypto.ssl_ver_src`*:: + -- +Deprecated, use version + type: keyword -- -*`cyberarkpas.audit.extra_details.session_duration`*:: +*`rsa.crypto.d_certauth`*:: + -- type: keyword -- -*`cyberarkpas.audit.extra_details.session_id`*:: +*`rsa.crypto.s_certauth`*:: + -- type: keyword -- -*`cyberarkpas.audit.extra_details.src_host`*:: +*`rsa.crypto.ike_cookie1`*:: + -- +ID of the negotiation — sent for ISAKMP Phase One + type: keyword -- -*`cyberarkpas.audit.extra_details.username`*:: +*`rsa.crypto.ike_cookie2`*:: + -- +ID of the negotiation — sent for ISAKMP Phase Two + type: keyword -- -*`cyberarkpas.audit.extra_details.other`*:: +*`rsa.crypto.cert_checksum`*:: + -- -type: flattened +type: keyword -- -*`cyberarkpas.audit.file`*:: +*`rsa.crypto.cert_host_cat`*:: + -- -The name of the target file. +This key is used for the hostname category value of a certificate type: keyword -- -*`cyberarkpas.audit.gateway_station`*:: +*`rsa.crypto.cert_serial`*:: + -- -The IP of the web application machine (PVWA). +This key is used to capture the Certificate serial number only -type: ip +type: keyword -- -*`cyberarkpas.audit.hostname`*:: +*`rsa.crypto.cert_status`*:: + -- -The hostname, in upper case. +This key captures Certificate validation status type: keyword -example: MY-COMPUTER - -- -*`cyberarkpas.audit.iso_timestamp`*:: +*`rsa.crypto.ssl_ver_dst`*:: + -- -The timestamp, in ISO Timestamp format (RFC 3339). - -type: date +Deprecated, use version -example: 2013-06-25 10:47:19+00:00 +type: keyword -- -*`cyberarkpas.audit.issuer`*:: +*`rsa.crypto.cert_keysize`*:: + -- -The Vault user who wrote the audit. This is usually the user who performed the operation. - type: keyword -- -*`cyberarkpas.audit.location`*:: +*`rsa.crypto.cert_username`*:: + -- -The target Location (for Location operations). - type: keyword -Field is not indexed. - -- -*`cyberarkpas.audit.message`*:: +*`rsa.crypto.https_insact`*:: + -- -A description of the audit records (same information as in the Desc field). - type: keyword -- -*`cyberarkpas.audit.message_id`*:: +*`rsa.crypto.https_valid`*:: + -- -The code ID of the audit records. - type: keyword -- -*`cyberarkpas.audit.product`*:: +*`rsa.crypto.cert_ca`*:: + -- -A static value that represents the product. +This key is used to capture the Certificate signing authority only type: keyword -- -*`cyberarkpas.audit.pvwa_details`*:: +*`rsa.crypto.cert_common`*:: + -- -Specific details of the PVWA audit records. +This key is used to capture the Certificate common name only -type: flattened +type: keyword -- -*`cyberarkpas.audit.raw`*:: + +*`rsa.wireless.wlan_ssid`*:: + -- -Raw XML for the original audit record. Only present when XSLT file has debugging enabled. - +This key is used to capture the ssid of a Wireless Session type: keyword -Field is not indexed. - -- -*`cyberarkpas.audit.reason`*:: +*`rsa.wireless.access_point`*:: + -- -The reason entered by the user. +This key is used to capture the access point name. -type: text +type: keyword -- -*`cyberarkpas.audit.rfc5424`*:: +*`rsa.wireless.wlan_channel`*:: + -- -Whether the syslog format complies with RFC5424. - -type: boolean +This is used to capture the channel names -example: True +type: long -- -*`cyberarkpas.audit.safe`*:: +*`rsa.wireless.wlan_name`*:: + -- -The name of the target Safe. +This key captures either WLAN number/name type: keyword -- -*`cyberarkpas.audit.severity`*:: + +*`rsa.storage.disk_volume`*:: + -- -The severity of the audit records. +A unique name assigned to logical units (volumes) within a physical disk type: keyword -- -*`cyberarkpas.audit.source_user`*:: +*`rsa.storage.lun`*:: + -- -The name of the Vault user who performed the operation. +Logical Unit Number.This key is a very useful concept in Storage. type: keyword -- -*`cyberarkpas.audit.station`*:: +*`rsa.storage.pwwn`*:: + -- -The IP from where the operation was performed. For PVWA sessions, this will be the real client machine IP. +This uniquely identifies a port on a HBA. -type: ip +type: keyword -- -*`cyberarkpas.audit.target_user`*:: + +*`rsa.physical.org_dst`*:: + -- -The name of the Vault user on which the operation was performed. +This is used to capture the destination organization based on the GEOPIP Maxmind database. type: keyword -- -*`cyberarkpas.audit.timestamp`*:: +*`rsa.physical.org_src`*:: + -- -The timestamp, in MMM DD HH:MM:SS format. +This is used to capture the source organization based on the GEOPIP Maxmind database. type: keyword -example: Jun 25 10:47:19 - -- -*`cyberarkpas.audit.vendor`*:: + +*`rsa.healthcare.patient_fname`*:: + -- -A static value that represents the vendor. +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`cyberarkpas.audit.version`*:: +*`rsa.healthcare.patient_id`*:: + -- -A static value that represents the version of the Vault. +This key captures the unique ID for a patient type: keyword -- -[[exported-fields-cylance]] -== CylanceProtect fields - -cylance fields. - - - -*`network.interface.name`*:: +*`rsa.healthcare.patient_lname`*:: + -- -Name of the network interface where the traffic has been observed. - +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- - - -*`rsa.internal.msg`*:: +*`rsa.healthcare.patient_mname`*:: + -- -This key is used to capture the raw message that comes into the Log Decoder +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`rsa.internal.messageid`*:: + +*`rsa.endpoint.host_state`*:: + -- +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + type: keyword -- -*`rsa.internal.event_desc`*:: +*`rsa.endpoint.registry_key`*:: + -- +This key captures the path to the registry key + type: keyword -- -*`rsa.internal.message`*:: +*`rsa.endpoint.registry_value`*:: + -- -This key captures the contents of instant messages +This key captures values or decorators used within a registry entry type: keyword -- -*`rsa.internal.time`*:: +[[exported-fields-docker-processor]] +== Docker fields + +Docker stats collected from Docker. + + + + +*`docker.container.id`*:: + -- -This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. +type: alias -type: date +alias to: container.id -- -*`rsa.internal.level`*:: +*`docker.container.image`*:: + -- -Deprecated key defined only in table map. +type: alias -type: long +alias to: container.image.name -- -*`rsa.internal.msg_id`*:: +*`docker.container.name`*:: + -- -This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +type: alias -type: keyword +alias to: container.name -- -*`rsa.internal.msg_vid`*:: +*`docker.container.labels`*:: + -- -This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Image labels. -type: keyword + +type: object -- -*`rsa.internal.data`*:: +[[exported-fields-ecs]] +== ECS fields + + +This section defines Elastic Common Schema (ECS) fields—a common set of fields +to be used when storing event data in {es}. + +This is an exhaustive list, and fields listed here are not necessarily used by {beatname_uc}. +The goal of ECS is to enable and encourage users of {es} to normalize their event data, +so that they can better analyze, visualize, and correlate the data represented in their events. + +See the {ecs-ref}[ECS reference] for more information. + +*`@timestamp`*:: + -- -Deprecated key defined only in table map. +Date/time when the event originated. +This is the date/time extracted from the event, typically representing when the event was generated by the source. +If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. +Required field for all events. -type: keyword +type: date + +example: 2016-05-23T08:05:34.853Z + +required: True -- -*`rsa.internal.obj_server`*:: +*`labels`*:: + -- -Deprecated key defined only in table map. +Custom key/value pairs. +Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. +Example: `docker` and `k8s` labels. -type: keyword +type: object + +example: {"application": "foo-bar", "env": "production"} -- -*`rsa.internal.obj_val`*:: +*`message`*:: + -- -Deprecated key defined only in table map. +For log events the message field contains the log message, optimized for viewing in a log viewer. +For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. +If multiple messages exist, they can be combined into one message. -type: keyword +type: text + +example: Hello World -- -*`rsa.internal.resource`*:: +*`tags`*:: + -- -Deprecated key defined only in table map. +List of keywords used to tag each event. type: keyword +example: ["production", "env2"] + -- -*`rsa.internal.obj_id`*:: +[float] +=== agent + +The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. +Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken. + + +*`agent.build.original`*:: + -- -Deprecated key defined only in table map. +Extended build information for the agent. +This field is intended to contain any build information that a data source may provide, no specific formatting is required. type: keyword +example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC] + -- -*`rsa.internal.statement`*:: +*`agent.ephemeral_id`*:: + -- -Deprecated key defined only in table map. +Ephemeral identifier of this agent (if one exists). +This id normally changes across restarts, but `agent.id` does not. type: keyword +example: 8a4f500f + -- -*`rsa.internal.audit_class`*:: +*`agent.id`*:: + -- -Deprecated key defined only in table map. +Unique identifier of this agent (if one exists). +Example: For Beats this would be beat.id. type: keyword +example: 8a4f500d + -- -*`rsa.internal.entry`*:: +*`agent.name`*:: + -- -Deprecated key defined only in table map. +Custom name of the agent. +This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. +If no name is given, the name is often left empty. type: keyword +example: foo + -- -*`rsa.internal.hcode`*:: +*`agent.type`*:: + -- -Deprecated key defined only in table map. +Type of the agent. +The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. type: keyword +example: filebeat + -- -*`rsa.internal.inode`*:: +*`agent.version`*:: + -- -Deprecated key defined only in table map. +Version of the agent. -type: long +type: keyword --- +example: 6.0.0-rc2 -*`rsa.internal.resource_class`*:: -+ -- -Deprecated key defined only in table map. -type: keyword +[float] +=== as --- +An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet. -*`rsa.internal.dead`*:: + +*`as.number`*:: + -- -Deprecated key defined only in table map. +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. type: long +example: 15169 + -- -*`rsa.internal.feed_desc`*:: +*`as.organization.name`*:: + -- -This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Organization name. type: keyword +example: Google LLC + -- -*`rsa.internal.feed_name`*:: +*`as.organization.name.text`*:: + -- -This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword +type: text -- -*`rsa.internal.cid`*:: -+ --- -This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +[float] +=== client -type: keyword +A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records. +For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events. +Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. --- -*`rsa.internal.device_class`*:: +*`client.address`*:: + -- -This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. +Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. type: keyword -- -*`rsa.internal.device_group`*:: +*`client.as.number`*:: + -- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. -type: keyword +type: long + +example: 15169 -- -*`rsa.internal.device_host`*:: +*`client.as.organization.name`*:: + -- -This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Organization name. type: keyword +example: Google LLC + -- -*`rsa.internal.device_ip`*:: +*`client.as.organization.name.text`*:: + -- -This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip +type: text -- -*`rsa.internal.device_ipv6`*:: +*`client.bytes`*:: + -- -This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Bytes sent from the client to the server. -type: ip +type: long + +example: 184 + +format: bytes -- -*`rsa.internal.device_type`*:: +*`client.domain`*:: + -- -This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Client domain. type: keyword -- -*`rsa.internal.device_type_id`*:: +*`client.geo.city_name`*:: + -- -Deprecated key defined only in table map. +City name. -type: long +type: keyword + +example: Montreal -- -*`rsa.internal.did`*:: +*`client.geo.continent_code`*:: + -- -This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Two-letter code representing continent's name. type: keyword +example: NA + -- -*`rsa.internal.entropy_req`*:: +*`client.geo.continent_name`*:: + -- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration +Name of the continent. -type: long +type: keyword + +example: North America -- -*`rsa.internal.entropy_res`*:: +*`client.geo.country_iso_code`*:: + -- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration +Country ISO code. -type: long +type: keyword + +example: CA -- -*`rsa.internal.event_name`*:: +*`client.geo.country_name`*:: + -- -Deprecated key defined only in table map. +Country name. type: keyword +example: Canada + -- -*`rsa.internal.feed_category`*:: +*`client.geo.location`*:: + -- -This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Longitude and latitude. -type: keyword +type: geo_point + +example: { "lon": -73.614830, "lat": 45.505918 } -- -*`rsa.internal.forward_ip`*:: +*`client.geo.name`*:: + -- -This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. -type: ip +type: keyword + +example: boston-dc -- -*`rsa.internal.forward_ipv6`*:: +*`client.geo.postal_code`*:: + -- -This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Postal code associated with the location. +Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. -type: ip +type: keyword + +example: 94040 -- -*`rsa.internal.header_id`*:: +*`client.geo.region_iso_code`*:: + -- -This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Region ISO code. type: keyword +example: CA-QC + -- -*`rsa.internal.lc_cid`*:: +*`client.geo.region_name`*:: + -- -This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Region name. type: keyword +example: Quebec + -- -*`rsa.internal.lc_ctime`*:: +*`client.geo.timezone`*:: + -- -This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +The time zone of the location, such as IANA time zone name. -type: date +type: keyword + +example: America/Argentina/Buenos_Aires -- -*`rsa.internal.mcb_req`*:: +*`client.ip`*:: + -- -This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most +IP address of the client (IPv4 or IPv6). -type: long +type: ip -- -*`rsa.internal.mcb_res`*:: +*`client.mac`*:: + -- -This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most +MAC address of the client. +The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. -type: long +type: keyword + +example: 00-00-5E-00-53-23 -- -*`rsa.internal.mcbc_req`*:: +*`client.nat.ip`*:: + -- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams +Translated IP of source based NAT sessions (e.g. internal client to internet). +Typically connections traversing load balancers, firewalls, or routers. -type: long +type: ip -- -*`rsa.internal.mcbc_res`*:: +*`client.nat.port`*:: + -- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams +Translated port of source based NAT sessions (e.g. internal client to internet). +Typically connections traversing load balancers, firewalls, or routers. type: long +format: string + -- -*`rsa.internal.medium`*:: +*`client.packets`*:: + -- -This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session +Packets sent from the client to the server. type: long +example: 12 + -- -*`rsa.internal.node_name`*:: +*`client.port`*:: + -- -Deprecated key defined only in table map. +Port of the client. -type: keyword +type: long + +format: string -- -*`rsa.internal.nwe_callback_id`*:: +*`client.registered_domain`*:: + -- -This key denotes that event is endpoint related +The highest registered client domain, stripped of the subdomain. +For example, the registered domain for "foo.example.com" is "example.com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword +example: example.com + -- -*`rsa.internal.parse_error`*:: +*`client.subdomain`*:: + -- -This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. +For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. type: keyword +example: east + -- -*`rsa.internal.payload_req`*:: +*`client.top_level_domain`*:: + -- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". -type: long +type: keyword + +example: co.uk -- -*`rsa.internal.payload_res`*:: +*`client.user.domain`*:: + -- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. -type: long +type: keyword -- -*`rsa.internal.process_vid_dst`*:: +*`client.user.email`*:: + -- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. +User email address. type: keyword -- -*`rsa.internal.process_vid_src`*:: +*`client.user.full_name`*:: + -- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. +User's full name, if available. type: keyword +example: Albert Einstein + -- -*`rsa.internal.rid`*:: +*`client.user.full_name.text`*:: + -- -This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long +type: text -- -*`rsa.internal.session_split`*:: +*`client.user.group.domain`*:: + -- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. type: keyword -- -*`rsa.internal.site`*:: +*`client.user.group.id`*:: + -- -Deprecated key defined only in table map. +Unique identifier for the group on the system/platform. type: keyword -- -*`rsa.internal.size`*:: +*`client.user.group.name`*:: + -- -This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Name of the group. -type: long +type: keyword -- -*`rsa.internal.sourcefile`*:: +*`client.user.hash`*:: + -- -This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. type: keyword -- -*`rsa.internal.ubc_req`*:: +*`client.user.id`*:: + -- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once +Unique identifier of the user. -type: long +type: keyword -- -*`rsa.internal.ubc_res`*:: +*`client.user.name`*:: + -- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once +Short name or login of the user. -type: long +type: keyword + +example: albert -- -*`rsa.internal.word`*:: +*`client.user.name.text`*:: + -- -This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - -type: keyword +type: text -- - -*`rsa.time.event_time`*:: +*`client.user.roles`*:: + -- -This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form +Array of user roles at the time of the event. -type: date +type: keyword --- +example: ["kibana_admin", "reporting_user"] -*`rsa.time.duration_time`*:: -+ -- -This key is used to capture the normalized duration/lifetime in seconds. -type: double +[float] +=== cloud --- +Fields related to the cloud or infrastructure the events are coming from. -*`rsa.time.event_time_str`*:: + +*`cloud.account.id`*:: + -- -This key is used to capture the incomplete time mentioned in a session as a string +The cloud account or organization id used to identify different entities in a multi-tenant environment. +Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. type: keyword +example: 666777888999 + -- -*`rsa.time.starttime`*:: +*`cloud.account.name`*:: + -- -This key is used to capture the Start time mentioned in a session in a standard form +The cloud account name or alias used to identify different entities in a multi-tenant environment. +Examples: AWS account name, Google Cloud ORG display name. -type: date +type: keyword + +example: elastic-dev -- -*`rsa.time.month`*:: +*`cloud.availability_zone`*:: + -- +Availability zone in which this host, resource, or service is located. + type: keyword +example: us-east-1c + -- -*`rsa.time.day`*:: +*`cloud.instance.id`*:: + -- +Instance ID of the host machine. + type: keyword +example: i-1234567890abcdef0 + -- -*`rsa.time.endtime`*:: +*`cloud.instance.name`*:: + -- -This key is used to capture the End time mentioned in a session in a standard form +Instance name of the host machine. -type: date +type: keyword -- -*`rsa.time.timezone`*:: +*`cloud.machine.type`*:: + -- -This key is used to capture the timezone of the Event Time +Machine type of the host machine. type: keyword +example: t2.medium + -- -*`rsa.time.duration_str`*:: +*`cloud.project.id`*:: + -- -A text string version of the duration +The cloud project identifier. +Examples: Google Cloud Project id, Azure Project id. type: keyword +example: my-project + -- -*`rsa.time.date`*:: +*`cloud.project.name`*:: + -- +The cloud project name. +Examples: Google Cloud Project name, Azure Project name. + type: keyword +example: my project + -- -*`rsa.time.year`*:: +*`cloud.provider`*:: + -- +Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + type: keyword +example: aws + -- -*`rsa.time.recorded_time`*:: +*`cloud.region`*:: + -- -The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. +Region in which this host, resource, or service is located. -type: date +type: keyword + +example: us-east-1 -- -*`rsa.time.datetime`*:: +*`cloud.service.name`*:: + -- +The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. +Examples: app engine, app service, cloud run, fargate, lambda. + type: keyword --- +example: lambda -*`rsa.time.effective_time`*:: -+ -- -This key is the effective time referenced by an individual event in a Standard Timestamp format -type: date +[float] +=== code_signature --- +These fields contain information about binary code signatures. -*`rsa.time.expire_time`*:: + +*`code_signature.exists`*:: + -- -This key is the timestamp that explicitly refers to an expiration. +Boolean to capture if a signature is present. -type: date +type: boolean + +example: true -- -*`rsa.time.process_time`*:: +*`code_signature.signing_id`*:: + -- -Deprecated, use duration.time +The identifier used to sign the process. +This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. type: keyword +example: com.apple.xpc.proxy + -- -*`rsa.time.hour`*:: +*`code_signature.status`*:: + -- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + type: keyword +example: ERROR_UNTRUSTED_ROOT + -- -*`rsa.time.min`*:: +*`code_signature.subject_name`*:: + -- +Subject name of the code signer + type: keyword +example: Microsoft Corporation + -- -*`rsa.time.timestamp`*:: +*`code_signature.team_id`*:: + -- +The team identifier used to sign the process. +This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. + type: keyword +example: EQHXZ8M8AV + -- -*`rsa.time.event_queue_time`*:: +*`code_signature.trusted`*:: + -- -This key is the Time that the event was queued. - -type: date +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. --- +type: boolean -*`rsa.time.p_time1`*:: -+ --- -type: keyword +example: true -- -*`rsa.time.tzone`*:: +*`code_signature.valid`*:: + -- -type: keyword +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. --- +type: boolean -*`rsa.time.eventtime`*:: -+ --- -type: keyword +example: true -- -*`rsa.time.gmtdate`*:: -+ --- -type: keyword +[float] +=== container --- +Container fields are used for meta information about the specific container that is the source of information. +These fields help correlate data based containers from any runtime. -*`rsa.time.gmttime`*:: + +*`container.id`*:: + -- +Unique container id. + type: keyword -- -*`rsa.time.p_date`*:: +*`container.image.name`*:: + -- +Name of the image the container was built on. + type: keyword -- -*`rsa.time.p_month`*:: +*`container.image.tag`*:: + -- +Container image tags. + type: keyword -- -*`rsa.time.p_time`*:: +*`container.labels`*:: + -- -type: keyword +Image labels. + +type: object -- -*`rsa.time.p_time2`*:: +*`container.name`*:: + -- +Container name. + type: keyword -- -*`rsa.time.p_year`*:: +*`container.runtime`*:: + -- +Runtime managing this container. + type: keyword --- +example: docker -*`rsa.time.expire_time_str`*:: -+ -- -This key is used to capture incomplete timestamp that explicitly refers to an expiration. -type: keyword +[float] +=== data_stream --- +The data_stream fields take part in defining the new data stream naming scheme. +In the new data stream naming scheme the value of the data stream fields combine to the name of the actual data stream in the following manner: `{data_stream.type}-{data_stream.dataset}-{data_stream.namespace}`. This means the fields can only contain characters that are valid as part of names of data streams. More details about this can be found in this https://www.elastic.co/blog/an-introduction-to-the-elastic-data-stream-naming-scheme[blog post]. +An Elasticsearch data stream consists of one or more backing indices, and a data stream name forms part of the backing indices names. Due to this convention, data streams must also follow index naming restrictions. For example, data stream names cannot include `\`, `/`, `*`, `?`, `"`, `<`, `>`, `|`, ` ` (space character), `,`, or `#`. Please see the Elasticsearch reference for additional https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-create-index.html#indices-create-api-path-params[restrictions]. -*`rsa.time.stamp`*:: + +*`data_stream.dataset`*:: + -- -Deprecated key defined only in table map. - -type: date - --- +The field can contain anything that makes sense to signify the source of the data. +Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. +Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: + * Must not contain `-` + * No longer than 100 characters +type: constant_keyword -*`rsa.misc.action`*:: -+ --- -type: keyword +example: nginx.access -- -*`rsa.misc.result`*:: +*`data_stream.namespace`*:: + -- -This key is used to capture the outcome/result string value of an action in a session. +A user defined namespace. Namespaces are useful to allow grouping of data. +Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. +Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: + * Must not contain `-` + * No longer than 100 characters -type: keyword +type: constant_keyword + +example: production -- -*`rsa.misc.severity`*:: +*`data_stream.type`*:: + -- -This key is used to capture the severity given the session +An overarching type for the data stream. +Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. -type: keyword +type: constant_keyword --- +example: logs -*`rsa.misc.event_type`*:: -+ -- -This key captures the event category type as specified by the event source. -type: keyword +[float] +=== destination --- +Destination fields capture details about the receiver of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. +Destination fields are usually populated in conjunction with source fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated. -*`rsa.misc.reference_id`*:: + +*`destination.address`*:: + -- -This key is used to capture an event id from the session directly +Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. +Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. type: keyword -- -*`rsa.misc.version`*:: +*`destination.as.number`*:: + -- -This key captures Version of the application or OS which is generating the event. +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. -type: keyword +type: long + +example: 15169 -- -*`rsa.misc.disposition`*:: +*`destination.as.organization.name`*:: + -- -This key captures the The end state of an action. +Organization name. type: keyword +example: Google LLC + -- -*`rsa.misc.result_code`*:: +*`destination.as.organization.name.text`*:: + -- -This key is used to capture the outcome/result numeric value of an action in a session - -type: keyword +type: text -- -*`rsa.misc.category`*:: +*`destination.bytes`*:: + -- -This key is used to capture the category of an event given by the vendor in the session +Bytes sent from the destination to the source. -type: keyword +type: long + +example: 184 + +format: bytes -- -*`rsa.misc.obj_name`*:: +*`destination.domain`*:: + -- -This is used to capture name of object +Destination domain. type: keyword -- -*`rsa.misc.obj_type`*:: +*`destination.geo.city_name`*:: + -- -This is used to capture type of object +City name. type: keyword +example: Montreal + -- -*`rsa.misc.event_source`*:: +*`destination.geo.continent_code`*:: + -- -This key captures Source of the event that’s not a hostname +Two-letter code representing continent's name. type: keyword +example: NA + -- -*`rsa.misc.log_session_id`*:: +*`destination.geo.continent_name`*:: + -- -This key is used to capture a sessionid from the session directly +Name of the continent. type: keyword +example: North America + -- -*`rsa.misc.group`*:: +*`destination.geo.country_iso_code`*:: + -- -This key captures the Group Name value +Country ISO code. type: keyword +example: CA + -- -*`rsa.misc.policy_name`*:: +*`destination.geo.country_name`*:: + -- -This key is used to capture the Policy Name only. +Country name. type: keyword +example: Canada + -- -*`rsa.misc.rule_name`*:: +*`destination.geo.location`*:: + -- -This key captures the Rule Name +Longitude and latitude. -type: keyword +type: geo_point + +example: { "lon": -73.614830, "lat": 45.505918 } -- -*`rsa.misc.context`*:: +*`destination.geo.name`*:: + -- -This key captures Information which adds additional context to the event. +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. type: keyword +example: boston-dc + -- -*`rsa.misc.change_new`*:: +*`destination.geo.postal_code`*:: + -- -This key is used to capture the new values of the attribute that’s changing in a session +Postal code associated with the location. +Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. type: keyword +example: 94040 + -- -*`rsa.misc.space`*:: +*`destination.geo.region_iso_code`*:: + -- +Region ISO code. + type: keyword +example: CA-QC + -- -*`rsa.misc.client`*:: +*`destination.geo.region_name`*:: + -- -This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. +Region name. type: keyword +example: Quebec + -- -*`rsa.misc.msgIdPart1`*:: +*`destination.geo.timezone`*:: + -- +The time zone of the location, such as IANA time zone name. + type: keyword +example: America/Argentina/Buenos_Aires + -- -*`rsa.misc.msgIdPart2`*:: +*`destination.ip`*:: + -- -type: keyword +IP address of the destination (IPv4 or IPv6). + +type: ip -- -*`rsa.misc.change_old`*:: +*`destination.mac`*:: + -- -This key is used to capture the old value of the attribute that’s changing in a session +MAC address of the destination. +The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. type: keyword +example: 00-00-5E-00-53-23 + -- -*`rsa.misc.operation_id`*:: +*`destination.nat.ip`*:: + -- -An alert number or operation number. The values should be unique and non-repeating. +Translated ip of destination based NAT sessions (e.g. internet to private DMZ) +Typically used with load balancers, firewalls, or routers. -type: keyword +type: ip -- -*`rsa.misc.event_state`*:: +*`destination.nat.port`*:: + -- -This key captures the current state of the object/item referenced within the event. Describing an on-going event. +Port the source session is translated to by NAT Device. +Typically used with load balancers, firewalls, or routers. -type: keyword +type: long + +format: string -- -*`rsa.misc.group_object`*:: +*`destination.packets`*:: + -- -This key captures a collection/grouping of entities. Specific usage +Packets sent from the destination to the source. -type: keyword +type: long + +example: 12 -- -*`rsa.misc.node`*:: +*`destination.port`*:: + -- -Common use case is the node name within a cluster. The cluster name is reflected by the host name. +Port of the destination. -type: keyword +type: long + +format: string -- -*`rsa.misc.rule`*:: +*`destination.registered_domain`*:: + -- -This key captures the Rule number +The highest registered destination domain, stripped of the subdomain. +For example, the registered domain for "foo.example.com" is "example.com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword +example: example.com + -- -*`rsa.misc.device_name`*:: +*`destination.subdomain`*:: + -- -This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc +The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. +For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. type: keyword +example: east + -- -*`rsa.misc.param`*:: +*`destination.top_level_domain`*:: + -- -This key is the parameters passed as part of a command or application, etc. +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword +example: co.uk + -- -*`rsa.misc.change_attrib`*:: +*`destination.user.domain`*:: + -- -This key is used to capture the name of the attribute that’s changing in a session +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. type: keyword -- -*`rsa.misc.event_computer`*:: +*`destination.user.email`*:: + -- -This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. +User email address. type: keyword -- -*`rsa.misc.reference_id1`*:: +*`destination.user.full_name`*:: + -- -This key is for Linked ID to be used as an addition to "reference.id" +User's full name, if available. type: keyword +example: Albert Einstein + -- -*`rsa.misc.event_log`*:: +*`destination.user.full_name.text`*:: + -- -This key captures the Name of the event log - -type: keyword +type: text -- -*`rsa.misc.OS`*:: +*`destination.user.group.domain`*:: + -- -This key captures the Name of the Operating System +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. type: keyword -- -*`rsa.misc.terminal`*:: +*`destination.user.group.id`*:: + -- -This key captures the Terminal Names only +Unique identifier for the group on the system/platform. type: keyword -- -*`rsa.misc.msgIdPart3`*:: +*`destination.user.group.name`*:: + -- +Name of the group. + type: keyword -- -*`rsa.misc.filter`*:: +*`destination.user.hash`*:: + -- -This key captures Filter used to reduce result set +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. type: keyword -- -*`rsa.misc.serial_number`*:: +*`destination.user.id`*:: + -- -This key is the Serial number associated with a physical asset. +Unique identifier of the user. type: keyword -- -*`rsa.misc.checksum`*:: +*`destination.user.name`*:: + -- -This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. +Short name or login of the user. type: keyword +example: albert + -- -*`rsa.misc.event_user`*:: +*`destination.user.name.text`*:: + -- -This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - -type: keyword +type: text -- -*`rsa.misc.virusname`*:: +*`destination.user.roles`*:: + -- -This key captures the name of the virus +Array of user roles at the time of the event. type: keyword --- +example: ["kibana_admin", "reporting_user"] -*`rsa.misc.content_type`*:: -+ -- -This key is used to capture Content Type only. -type: keyword +[float] +=== dll --- +These fields contain information about code libraries dynamically loaded into processes. -*`rsa.misc.group_id`*:: +Many operating systems refer to "shared code libraries" with different names, but this field set refers to all of the following: +* Dynamic-link library (`.dll`) commonly used on Windows +* Shared Object (`.so`) commonly used on Unix-like operating systems +* Dynamic library (`.dylib`) commonly used on macOS + + +*`dll.code_signature.exists`*:: + -- -This key captures Group ID Number (related to the group name) +Boolean to capture if a signature is present. -type: keyword +type: boolean + +example: true -- -*`rsa.misc.policy_id`*:: +*`dll.code_signature.signing_id`*:: + -- -This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise +The identifier used to sign the process. +This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. type: keyword +example: com.apple.xpc.proxy + -- -*`rsa.misc.vsys`*:: +*`dll.code_signature.status`*:: + -- -This key captures Virtual System Name +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. type: keyword +example: ERROR_UNTRUSTED_ROOT + -- -*`rsa.misc.connection_id`*:: +*`dll.code_signature.subject_name`*:: + -- -This key captures the Connection ID +Subject name of the code signer type: keyword +example: Microsoft Corporation + -- -*`rsa.misc.reference_id2`*:: +*`dll.code_signature.team_id`*:: + -- -This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. +The team identifier used to sign the process. +This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. type: keyword +example: EQHXZ8M8AV + -- -*`rsa.misc.sensor`*:: +*`dll.code_signature.trusted`*:: + -- -This key captures Name of the sensor. Typically used in IDS/IPS based devices +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. -type: keyword +type: boolean + +example: true -- -*`rsa.misc.sig_id`*:: +*`dll.code_signature.valid`*:: + -- -This key captures IDS/IPS Int Signature ID +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. -type: long +type: boolean + +example: true -- -*`rsa.misc.port_name`*:: +*`dll.hash.md5`*:: + -- -This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). +MD5 hash. type: keyword -- -*`rsa.misc.rule_group`*:: +*`dll.hash.sha1`*:: + -- -This key captures the Rule group name +SHA1 hash. type: keyword -- -*`rsa.misc.risk_num`*:: +*`dll.hash.sha256`*:: + -- -This key captures a Numeric Risk value +SHA256 hash. -type: double +type: keyword -- -*`rsa.misc.trigger_val`*:: +*`dll.hash.sha512`*:: + -- -This key captures the Value of the trigger or threshold condition. +SHA512 hash. type: keyword -- -*`rsa.misc.log_session_id1`*:: +*`dll.hash.ssdeep`*:: + -- -This key is used to capture a Linked (Related) Session ID from the session directly +SSDEEP hash. type: keyword -- -*`rsa.misc.comp_version`*:: +*`dll.name`*:: + -- -This key captures the Version level of a sub-component of a product. +Name of the library. +This generally maps to the name of the file on disk. type: keyword +example: kernel32.dll + -- -*`rsa.misc.content_version`*:: +*`dll.path`*:: + -- -This key captures Version level of a signature or database content. +Full file path of the library. type: keyword +example: C:\Windows\System32\kernel32.dll + -- -*`rsa.misc.hardware_id`*:: +*`dll.pe.architecture`*:: + -- -This key is used to capture unique identifier for a device or system (NOT a Mac address) +CPU architecture target for the file. type: keyword +example: x64 + -- -*`rsa.misc.risk`*:: +*`dll.pe.company`*:: + -- -This key captures the non-numeric risk value +Internal company name of the file, provided at compile-time. type: keyword +example: Microsoft Corporation + -- -*`rsa.misc.event_id`*:: +*`dll.pe.description`*:: + -- +Internal description of the file, provided at compile-time. + type: keyword +example: Paint + -- -*`rsa.misc.reason`*:: +*`dll.pe.file_version`*:: + -- +Internal version of the file, provided at compile-time. + type: keyword +example: 6.3.9600.17415 + -- -*`rsa.misc.status`*:: +*`dll.pe.imphash`*:: + -- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + type: keyword +example: 0c6803c4e922103c4dca5963aad36ddf + -- -*`rsa.misc.mail_id`*:: +*`dll.pe.original_file_name`*:: + -- -This key is used to capture the mailbox id/name +Internal name of the file, provided at compile-time. type: keyword +example: MSPAINT.EXE + -- -*`rsa.misc.rule_uid`*:: +*`dll.pe.product`*:: + -- -This key is the Unique Identifier for a rule. +Internal product name of the file, provided at compile-time. type: keyword --- +example: Microsoft® Windows® Operating System -*`rsa.misc.trigger_desc`*:: -+ -- -This key captures the Description of the trigger or threshold condition. -type: keyword +[float] +=== dns --- +Fields describing DNS queries and answers. +DNS events should either represent a single DNS query prior to getting answers (`dns.type:query`) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (`dns.type:answer`). -*`rsa.misc.inout`*:: + +*`dns.answers`*:: + -- -type: keyword +An array containing an object for each answer section returned by the server. +The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. +Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. + +type: object -- -*`rsa.misc.p_msgid`*:: +*`dns.answers.class`*:: + -- +The class of DNS data contained in this resource record. + type: keyword +example: IN + -- -*`rsa.misc.data_type`*:: +*`dns.answers.data`*:: + -- +The data describing the resource. +The meaning of this data depends on the type and class of the resource record. + type: keyword +example: 10.10.10.10 + -- -*`rsa.misc.msgIdPart4`*:: +*`dns.answers.name`*:: + -- +The domain name to which this resource record pertains. +If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. + type: keyword +example: www.example.com + -- -*`rsa.misc.error`*:: +*`dns.answers.ttl`*:: + -- -This key captures All non successful Error codes or responses +The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. -type: keyword +type: long + +example: 180 -- -*`rsa.misc.index`*:: +*`dns.answers.type`*:: + -- +The type of data contained in this resource record. + type: keyword +example: CNAME + -- -*`rsa.misc.listnum`*:: +*`dns.header_flags`*:: + -- -This key is used to capture listname or listnumber, primarily for collecting access-list +Array of 2 letter DNS header flags. +Expected values are: AA, TC, RD, RA, AD, CD, DO. type: keyword +example: ["RD", "RA"] + -- -*`rsa.misc.ntype`*:: +*`dns.id`*:: + -- +The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. + type: keyword +example: 62111 + -- -*`rsa.misc.observed_val`*:: +*`dns.op_code`*:: + -- -This key captures the Value observed (from the perspective of the device generating the log). +The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. type: keyword +example: QUERY + -- -*`rsa.misc.policy_value`*:: +*`dns.question.class`*:: + -- -This key captures the contents of the policy. This contains details about the policy +The class of records being queried. type: keyword +example: IN + -- -*`rsa.misc.pool_name`*:: +*`dns.question.name`*:: + -- -This key captures the name of a resource pool +The name being queried. +If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. type: keyword +example: www.example.com + -- -*`rsa.misc.rule_template`*:: +*`dns.question.registered_domain`*:: + -- -A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template +The highest registered domain, stripped of the subdomain. +For example, the registered domain for "foo.example.com" is "example.com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword --- - -*`rsa.misc.count`*:: -+ --- -type: keyword +example: example.com -- -*`rsa.misc.number`*:: +*`dns.question.subdomain`*:: + -- -type: keyword - --- +The subdomain is all of the labels under the registered_domain. +If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. -*`rsa.misc.sigcat`*:: -+ --- type: keyword +example: www + -- -*`rsa.misc.type`*:: +*`dns.question.top_level_domain`*:: + -- +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + type: keyword +example: co.uk + -- -*`rsa.misc.comments`*:: +*`dns.question.type`*:: + -- -Comment information provided in the log message +The type of record being queried. type: keyword +example: AAAA + -- -*`rsa.misc.doc_number`*:: +*`dns.resolved_ip`*:: + -- -This key captures File Identification number +Array containing all IPs seen in `answers.data`. +The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. -type: long +type: ip + +example: ["10.10.10.10", "10.10.10.11"] -- -*`rsa.misc.expected_val`*:: +*`dns.response_code`*:: + -- -This key captures the Value expected (from the perspective of the device generating the log). +The DNS response code. type: keyword +example: NOERROR + -- -*`rsa.misc.job_num`*:: +*`dns.type`*:: + -- -This key captures the Job Number +The type of DNS event captured, query or answer. +If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. +If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. type: keyword --- +example: answer -*`rsa.misc.spi_dst`*:: -+ -- -Destination SPI Index -type: keyword +[float] +=== ecs --- +Meta-information specific to ECS. -*`rsa.misc.spi_src`*:: + +*`ecs.version`*:: + -- -Source SPI Index +ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. +When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. type: keyword +example: 1.0.0 + +required: True + -- -*`rsa.misc.code`*:: +[float] +=== elf + +These fields contain Linux Executable Linkable Format (ELF) metadata. + + +*`elf.architecture`*:: + -- +Machine architecture of the ELF file. + type: keyword +example: x86-64 + -- -*`rsa.misc.agent_id`*:: +*`elf.byte_order`*:: + -- -This key is used to capture agent id +Byte sequence of ELF file. type: keyword +example: Little Endian + -- -*`rsa.misc.message_body`*:: +*`elf.cpu_type`*:: + -- -This key captures the The contents of the message body. +CPU type of the ELF file. type: keyword +example: Intel + -- -*`rsa.misc.phone`*:: +*`elf.creation_date`*:: + -- -type: keyword +Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. + +type: date -- -*`rsa.misc.sig_id_str`*:: +*`elf.exports`*:: + -- -This key captures a string object of the sigid variable. +List of exported element names and types. -type: keyword +type: flattened -- -*`rsa.misc.cmd`*:: +*`elf.header.abi_version`*:: + -- +Version of the ELF Application Binary Interface (ABI). + type: keyword -- -*`rsa.misc.misc`*:: +*`elf.header.class`*:: + -- +Header class of the ELF file. + type: keyword -- -*`rsa.misc.name`*:: +*`elf.header.data`*:: + -- +Data table of the ELF header. + type: keyword -- -*`rsa.misc.cpu`*:: +*`elf.header.entrypoint`*:: + -- -This key is the CPU time used in the execution of the event being recorded. +Header entrypoint of the ELF file. type: long +format: string + -- -*`rsa.misc.event_desc`*:: +*`elf.header.object_version`*:: + -- -This key is used to capture a description of an event available directly or inferred +"0x1" for original ELF files. type: keyword -- -*`rsa.misc.sig_id1`*:: +*`elf.header.os_abi`*:: + -- -This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - -type: long - --- +Application Binary Interface (ABI) of the Linux OS. -*`rsa.misc.im_buddyid`*:: -+ --- type: keyword -- -*`rsa.misc.im_client`*:: +*`elf.header.type`*:: + -- +Header type of the ELF file. + type: keyword -- -*`rsa.misc.im_userid`*:: +*`elf.header.version`*:: + -- +Version of the ELF header. + type: keyword -- -*`rsa.misc.pid`*:: +*`elf.imports`*:: + -- -type: keyword +List of imported element names and types. + +type: flattened -- -*`rsa.misc.priority`*:: +*`elf.sections`*:: + -- -type: keyword +An array containing an object for each section of the ELF file. +The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`. + +type: nested -- -*`rsa.misc.context_subject`*:: +*`elf.sections.chi2`*:: + -- -This key is to be used in an audit context where the subject is the object being identified +Chi-square probability distribution of the section. -type: keyword +type: long + +format: number -- -*`rsa.misc.context_target`*:: +*`elf.sections.entropy`*:: + -- -type: keyword +Shannon entropy calculation from the section. + +type: long + +format: number -- -*`rsa.misc.cve`*:: +*`elf.sections.flags`*:: + -- -This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. +ELF Section List flags. type: keyword -- -*`rsa.misc.fcatnum`*:: +*`elf.sections.name`*:: + -- -This key captures Filter Category Number. Legacy Usage +ELF Section List name. type: keyword -- -*`rsa.misc.library`*:: +*`elf.sections.physical_offset`*:: + -- -This key is used to capture library information in mainframe devices +ELF Section List offset. type: keyword -- -*`rsa.misc.parent_node`*:: +*`elf.sections.physical_size`*:: + -- -This key captures the Parent Node Name. Must be related to node variable. +ELF Section List physical size. -type: keyword +type: long + +format: bytes -- -*`rsa.misc.risk_info`*:: +*`elf.sections.type`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) +ELF Section List type. type: keyword -- -*`rsa.misc.tcp_flags`*:: +*`elf.sections.virtual_address`*:: + -- -This key is captures the TCP flags set in any packet of session +ELF Section List virtual address. type: long +format: string + -- -*`rsa.misc.tos`*:: +*`elf.sections.virtual_size`*:: + -- -This key describes the type of service +ELF Section List virtual size. type: long +format: string + -- -*`rsa.misc.vm_target`*:: +*`elf.segments`*:: + -- -VMWare Target **VMWARE** only varaible. +An array containing an object for each segment of the ELF file. +The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`. -type: keyword +type: nested -- -*`rsa.misc.workspace`*:: +*`elf.segments.sections`*:: + -- -This key captures Workspace Description +ELF object segment sections. type: keyword -- -*`rsa.misc.command`*:: +*`elf.segments.type`*:: + -- +ELF object segment type. + type: keyword -- -*`rsa.misc.event_category`*:: +*`elf.shared_libraries`*:: + -- +List of shared libraries used by this ELF object. + type: keyword -- -*`rsa.misc.facilityname`*:: +*`elf.telfhash`*:: + -- +telfhash symbol hash for ELF file. + type: keyword -- -*`rsa.misc.forensic_info`*:: -+ --- -type: keyword +[float] +=== error --- +These fields can represent errors of any kind. +Use them for errors that happen while fetching events or in cases where the event itself contains an error. -*`rsa.misc.jobname`*:: + +*`error.code`*:: + -- +Error code describing the error. + type: keyword -- -*`rsa.misc.mode`*:: +*`error.id`*:: + -- +Unique identifier for the error. + type: keyword -- -*`rsa.misc.policy`*:: +*`error.message`*:: + -- -type: keyword +Error message. + +type: text -- -*`rsa.misc.policy_waiver`*:: +*`error.stack_trace`*:: + -- +The stack trace of this error in plain text. + type: keyword +Field is not indexed. + -- -*`rsa.misc.second`*:: +*`error.stack_trace.text`*:: + -- -type: keyword +type: text -- -*`rsa.misc.space1`*:: +*`error.type`*:: + -- +The type of the error, for example the class name of the exception. + type: keyword --- +example: java.lang.NullPointerException -*`rsa.misc.subcategory`*:: -+ -- -type: keyword --- +[float] +=== event -*`rsa.misc.tbdstr2`*:: +The event fields are used for context information about the log or metric event itself. +A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events. + + +*`event.action`*:: + -- +The action captured by the event. +This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + type: keyword +example: user-password-change + -- -*`rsa.misc.alert_id`*:: +*`event.agent_id_status`*:: + -- -Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) +Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. +For example if the agent's connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used. +If no validation is performed then the field should be omitted. +The allowed values are: +`verified` - The `agent.id` field value matches expected value obtained from auth metadata. +`mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata. +`missing` - There was no `agent.id` field in the event to validate. +`auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID. type: keyword +example: verified + -- -*`rsa.misc.checksum_dst`*:: +*`event.category`*:: + -- -This key is used to capture the checksum or hash of the the target entity such as a process or file. +This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. +`event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. +This field is an array. This will allow proper categorization of some events that fall in multiple categories. type: keyword +example: authentication + -- -*`rsa.misc.checksum_src`*:: +*`event.code`*:: + -- -This key is used to capture the checksum or hash of the source entity such as a file or process. +Identification code for this event, if one exists. +Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. type: keyword +example: 4648 + -- -*`rsa.misc.fresult`*:: +*`event.created`*:: + -- -This key captures the Filter Result +event.created contains the date/time when the event was first read by an agent, or by your pipeline. +This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. +In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. +In case the two timestamps are identical, @timestamp should be used. -type: long +type: date + +example: 2016-05-23T08:05:34.857Z -- -*`rsa.misc.payload_dst`*:: +*`event.dataset`*:: + -- -This key is used to capture destination payload +Name of the dataset. +If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. +It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. type: keyword +example: apache.access + -- -*`rsa.misc.payload_src`*:: +*`event.duration`*:: + -- -This key is used to capture source payload +Duration of the event in nanoseconds. +If event.start and event.end are known this value should be the difference between the end and start time. -type: keyword +type: long + +format: duration -- -*`rsa.misc.pool_id`*:: +*`event.end`*:: + -- -This key captures the identifier (typically numeric field) of a resource pool +event.end contains the date when the event ended or when the activity was last observed. -type: keyword +type: date -- -*`rsa.misc.process_id_val`*:: +*`event.hash`*:: + -- -This key is a failure key for Process ID when it is not an integer value +Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. type: keyword +example: 123456789012345678901234567890ABCD + -- -*`rsa.misc.risk_num_comm`*:: +*`event.id`*:: + -- -This key captures Risk Number Community +Unique ID to describe the event. -type: double +type: keyword + +example: 8a4f500d -- -*`rsa.misc.risk_num_next`*:: +*`event.ingested`*:: + -- -This key captures Risk Number NextGen +Timestamp when an event arrived in the central data store. +This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. +In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. -type: double +type: date + +example: 2016-05-23T08:05:35.101Z -- -*`rsa.misc.risk_num_sand`*:: +*`event.kind`*:: + -- -This key captures Risk Number SandBox +This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. +`event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. +The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. -type: double +type: keyword + +example: alert -- -*`rsa.misc.risk_num_static`*:: +*`event.module`*:: + -- -This key captures Risk Number Static +Name of the module this data is coming from. +If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. -type: double +type: keyword + +example: apache -- -*`rsa.misc.risk_suspicious`*:: +*`event.original`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) +Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. +This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. type: keyword +example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 + +Field is not indexed. + -- -*`rsa.misc.risk_warning`*:: +*`event.outcome`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) +This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. +`event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. +Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. +Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. +Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. type: keyword +example: success + -- -*`rsa.misc.snmp_oid`*:: +*`event.provider`*:: + -- -SNMP Object Identifier +Source of the event. +Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). type: keyword +example: kernel + -- -*`rsa.misc.sql`*:: +*`event.reason`*:: + -- -This key captures the SQL query +Reason why this event happened, according to the source. +This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). type: keyword +example: Terminated an unexpected process + -- -*`rsa.misc.vuln_ref`*:: +*`event.reference`*:: + -- -This key captures the Vulnerability Reference details +Reference URL linking to additional information about this event. +This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. type: keyword +example: https://system.example.com/event/#0001234 + -- -*`rsa.misc.acl_id`*:: +*`event.risk_score`*:: + -- -type: keyword +Risk score or priority of the event (e.g. security solutions). Use your system's original value here. + +type: float -- -*`rsa.misc.acl_op`*:: +*`event.risk_score_norm`*:: + -- -type: keyword +Normalized risk score or priority of the event, on a scale of 0 to 100. +This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. + +type: float -- -*`rsa.misc.acl_pos`*:: +*`event.sequence`*:: + -- -type: keyword +Sequence number of the event. +The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. --- +type: long -*`rsa.misc.acl_table`*:: -+ --- -type: keyword +format: string -- -*`rsa.misc.admin`*:: +*`event.severity`*:: + -- -type: keyword +The numeric severity of the event according to your event source. +What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. +The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. --- +type: long -*`rsa.misc.alarm_id`*:: -+ --- -type: keyword +example: 7 + +format: string -- -*`rsa.misc.alarmname`*:: +*`event.start`*:: + -- -type: keyword +event.start contains the date when the event started or when the activity was first observed. + +type: date -- -*`rsa.misc.app_id`*:: +*`event.timezone`*:: + -- +This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. +Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). + type: keyword -- -*`rsa.misc.audit`*:: +*`event.type`*:: + -- +This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. +`event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. +This field is an array. This will allow proper categorization of some events that fall in multiple event types. + type: keyword -- -*`rsa.misc.audit_object`*:: +*`event.url`*:: + -- +URL linking to an external system to continue investigation of this event. +This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. + type: keyword +example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe + -- -*`rsa.misc.auditdata`*:: -+ --- -type: keyword +[float] +=== file --- +A file is defined as a set of information that has been created on, or has existed on a filesystem. +File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric. -*`rsa.misc.benchmark`*:: + +*`file.accessed`*:: + -- -type: keyword +Last time the file was accessed. +Note that not all filesystems keep track of access time. + +type: date -- -*`rsa.misc.bypass`*:: +*`file.attributes`*:: + -- +Array of file attributes. +Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. + type: keyword +example: ["readonly", "system"] + -- -*`rsa.misc.cache`*:: +*`file.code_signature.exists`*:: + -- -type: keyword +Boolean to capture if a signature is present. --- +type: boolean -*`rsa.misc.cache_hit`*:: -+ --- -type: keyword +example: true -- -*`rsa.misc.cefversion`*:: +*`file.code_signature.signing_id`*:: + -- +The identifier used to sign the process. +This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. + type: keyword +example: com.apple.xpc.proxy + -- -*`rsa.misc.cfg_attr`*:: +*`file.code_signature.status`*:: + -- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + type: keyword +example: ERROR_UNTRUSTED_ROOT + -- -*`rsa.misc.cfg_obj`*:: +*`file.code_signature.subject_name`*:: + -- +Subject name of the code signer + type: keyword +example: Microsoft Corporation + -- -*`rsa.misc.cfg_path`*:: +*`file.code_signature.team_id`*:: + -- +The team identifier used to sign the process. +This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. + type: keyword +example: EQHXZ8M8AV + -- -*`rsa.misc.changes`*:: +*`file.code_signature.trusted`*:: + -- -type: keyword +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. --- +type: boolean -*`rsa.misc.client_ip`*:: -+ --- -type: keyword +example: true -- -*`rsa.misc.clustermembers`*:: +*`file.code_signature.valid`*:: + -- -type: keyword +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. --- +type: boolean -*`rsa.misc.cn_acttimeout`*:: -+ --- -type: keyword +example: true -- -*`rsa.misc.cn_asn_src`*:: +*`file.created`*:: + -- -type: keyword +File creation time. +Note that not all filesystems store the creation time. + +type: date -- -*`rsa.misc.cn_bgpv4nxthop`*:: +*`file.ctime`*:: + -- -type: keyword +Last time the file attributes or metadata changed. +Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. + +type: date -- -*`rsa.misc.cn_ctr_dst_code`*:: +*`file.device`*:: + -- +Device that is the source of the file. + type: keyword +example: sda + -- -*`rsa.misc.cn_dst_tos`*:: +*`file.directory`*:: + -- +Directory where the file is located. It should include the drive letter, when appropriate. + type: keyword +example: /home/alice + -- -*`rsa.misc.cn_dst_vlan`*:: +*`file.drive_letter`*:: + -- +Drive letter where the file is located. This field is only relevant on Windows. +The value should be uppercase, and not include the colon. + type: keyword +example: C + -- -*`rsa.misc.cn_engine_id`*:: +*`file.elf.architecture`*:: + -- +Machine architecture of the ELF file. + type: keyword +example: x86-64 + -- -*`rsa.misc.cn_engine_type`*:: +*`file.elf.byte_order`*:: + -- +Byte sequence of ELF file. + type: keyword +example: Little Endian + -- -*`rsa.misc.cn_f_switch`*:: +*`file.elf.cpu_type`*:: + -- +CPU type of the ELF file. + type: keyword +example: Intel + -- -*`rsa.misc.cn_flowsampid`*:: +*`file.elf.creation_date`*:: + -- -type: keyword +Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. + +type: date -- -*`rsa.misc.cn_flowsampintv`*:: +*`file.elf.exports`*:: + -- -type: keyword +List of exported element names and types. + +type: flattened -- -*`rsa.misc.cn_flowsampmode`*:: +*`file.elf.header.abi_version`*:: + -- +Version of the ELF Application Binary Interface (ABI). + type: keyword -- -*`rsa.misc.cn_inacttimeout`*:: +*`file.elf.header.class`*:: + -- +Header class of the ELF file. + type: keyword -- -*`rsa.misc.cn_inpermbyts`*:: +*`file.elf.header.data`*:: + -- +Data table of the ELF header. + type: keyword -- -*`rsa.misc.cn_inpermpckts`*:: +*`file.elf.header.entrypoint`*:: + -- -type: keyword +Header entrypoint of the ELF file. + +type: long + +format: string -- -*`rsa.misc.cn_invalid`*:: +*`file.elf.header.object_version`*:: + -- +"0x1" for original ELF files. + type: keyword -- -*`rsa.misc.cn_ip_proto_ver`*:: +*`file.elf.header.os_abi`*:: + -- +Application Binary Interface (ABI) of the Linux OS. + type: keyword -- -*`rsa.misc.cn_ipv4_ident`*:: +*`file.elf.header.type`*:: + -- +Header type of the ELF file. + type: keyword -- -*`rsa.misc.cn_l_switch`*:: +*`file.elf.header.version`*:: + -- +Version of the ELF header. + type: keyword -- -*`rsa.misc.cn_log_did`*:: +*`file.elf.imports`*:: + -- -type: keyword +List of imported element names and types. + +type: flattened -- -*`rsa.misc.cn_log_rid`*:: +*`file.elf.sections`*:: + -- -type: keyword +An array containing an object for each section of the ELF file. +The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`. + +type: nested -- -*`rsa.misc.cn_max_ttl`*:: +*`file.elf.sections.chi2`*:: + -- -type: keyword +Chi-square probability distribution of the section. + +type: long + +format: number -- -*`rsa.misc.cn_maxpcktlen`*:: +*`file.elf.sections.entropy`*:: + -- -type: keyword +Shannon entropy calculation from the section. + +type: long + +format: number -- -*`rsa.misc.cn_min_ttl`*:: +*`file.elf.sections.flags`*:: + -- +ELF Section List flags. + type: keyword -- -*`rsa.misc.cn_minpcktlen`*:: +*`file.elf.sections.name`*:: + -- +ELF Section List name. + type: keyword -- -*`rsa.misc.cn_mpls_lbl_1`*:: +*`file.elf.sections.physical_offset`*:: + -- +ELF Section List offset. + type: keyword -- -*`rsa.misc.cn_mpls_lbl_10`*:: +*`file.elf.sections.physical_size`*:: + -- -type: keyword +ELF Section List physical size. + +type: long + +format: bytes -- -*`rsa.misc.cn_mpls_lbl_2`*:: +*`file.elf.sections.type`*:: + -- +ELF Section List type. + type: keyword -- -*`rsa.misc.cn_mpls_lbl_3`*:: +*`file.elf.sections.virtual_address`*:: + -- -type: keyword +ELF Section List virtual address. + +type: long + +format: string -- -*`rsa.misc.cn_mpls_lbl_4`*:: +*`file.elf.sections.virtual_size`*:: + -- -type: keyword +ELF Section List virtual size. + +type: long + +format: string -- -*`rsa.misc.cn_mpls_lbl_5`*:: +*`file.elf.segments`*:: + -- -type: keyword +An array containing an object for each segment of the ELF file. +The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`. + +type: nested -- -*`rsa.misc.cn_mpls_lbl_6`*:: +*`file.elf.segments.sections`*:: + -- +ELF object segment sections. + type: keyword -- -*`rsa.misc.cn_mpls_lbl_7`*:: +*`file.elf.segments.type`*:: + -- +ELF object segment type. + type: keyword -- -*`rsa.misc.cn_mpls_lbl_8`*:: +*`file.elf.shared_libraries`*:: + -- +List of shared libraries used by this ELF object. + type: keyword -- -*`rsa.misc.cn_mpls_lbl_9`*:: +*`file.elf.telfhash`*:: + -- +telfhash symbol hash for ELF file. + type: keyword -- -*`rsa.misc.cn_mplstoplabel`*:: +*`file.extension`*:: + -- +File extension, excluding the leading dot. +Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + type: keyword +example: png + -- -*`rsa.misc.cn_mplstoplabip`*:: +*`file.gid`*:: + -- +Primary group ID (GID) of the file. + type: keyword +example: 1001 + -- -*`rsa.misc.cn_mul_dst_byt`*:: +*`file.group`*:: + -- +Primary group name of the file. + type: keyword +example: alice + -- -*`rsa.misc.cn_mul_dst_pks`*:: +*`file.hash.md5`*:: + -- +MD5 hash. + type: keyword -- -*`rsa.misc.cn_muligmptype`*:: +*`file.hash.sha1`*:: + -- +SHA1 hash. + type: keyword -- -*`rsa.misc.cn_sampalgo`*:: +*`file.hash.sha256`*:: + -- +SHA256 hash. + type: keyword -- -*`rsa.misc.cn_sampint`*:: +*`file.hash.sha512`*:: + -- +SHA512 hash. + type: keyword -- -*`rsa.misc.cn_seqctr`*:: +*`file.hash.ssdeep`*:: + -- +SSDEEP hash. + type: keyword -- -*`rsa.misc.cn_spackets`*:: +*`file.inode`*:: + -- +Inode representing the file in the filesystem. + type: keyword +example: 256383 + -- -*`rsa.misc.cn_src_tos`*:: +*`file.mime_type`*:: + -- +MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. + type: keyword -- -*`rsa.misc.cn_src_vlan`*:: +*`file.mode`*:: + -- +Mode of the file in octal representation. + type: keyword +example: 0640 + -- -*`rsa.misc.cn_sysuptime`*:: +*`file.mtime`*:: + -- -type: keyword +Last time the file content was modified. + +type: date -- -*`rsa.misc.cn_template_id`*:: +*`file.name`*:: + -- +Name of the file including the extension, without the directory. + type: keyword +example: example.png + -- -*`rsa.misc.cn_totbytsexp`*:: +*`file.owner`*:: + -- +File owner's username. + type: keyword +example: alice + -- -*`rsa.misc.cn_totflowexp`*:: +*`file.path`*:: + -- +Full path to the file, including the file name. It should include the drive letter, when appropriate. + type: keyword +example: /home/alice/example.png + -- -*`rsa.misc.cn_totpcktsexp`*:: +*`file.path.text`*:: + -- -type: keyword +type: text -- -*`rsa.misc.cn_unixnanosecs`*:: +*`file.pe.architecture`*:: + -- +CPU architecture target for the file. + type: keyword +example: x64 + -- -*`rsa.misc.cn_v6flowlabel`*:: +*`file.pe.company`*:: + -- +Internal company name of the file, provided at compile-time. + type: keyword +example: Microsoft Corporation + -- -*`rsa.misc.cn_v6optheaders`*:: +*`file.pe.description`*:: + -- +Internal description of the file, provided at compile-time. + type: keyword +example: Paint + -- -*`rsa.misc.comp_class`*:: +*`file.pe.file_version`*:: + -- +Internal version of the file, provided at compile-time. + type: keyword +example: 6.3.9600.17415 + -- -*`rsa.misc.comp_name`*:: +*`file.pe.imphash`*:: + -- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + type: keyword +example: 0c6803c4e922103c4dca5963aad36ddf + -- -*`rsa.misc.comp_rbytes`*:: +*`file.pe.original_file_name`*:: + -- +Internal name of the file, provided at compile-time. + type: keyword +example: MSPAINT.EXE + -- -*`rsa.misc.comp_sbytes`*:: +*`file.pe.product`*:: + -- +Internal product name of the file, provided at compile-time. + type: keyword +example: Microsoft® Windows® Operating System + -- -*`rsa.misc.cpu_data`*:: +*`file.size`*:: + -- -type: keyword +File size in bytes. +Only relevant when `file.type` is "file". + +type: long + +example: 16384 -- -*`rsa.misc.criticality`*:: +*`file.target_path`*:: + -- +Target path for symlinks. + type: keyword -- -*`rsa.misc.cs_agency_dst`*:: +*`file.target_path.text`*:: + -- -type: keyword +type: text -- -*`rsa.misc.cs_analyzedby`*:: +*`file.type`*:: + -- +File type (file, dir, or symlink). + type: keyword +example: file + -- -*`rsa.misc.cs_av_other`*:: +*`file.uid`*:: + -- +The user ID (UID) or security identifier (SID) of the file owner. + type: keyword +example: 1001 + -- -*`rsa.misc.cs_av_primary`*:: +*`file.x509.alternative_names`*:: + -- +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. + type: keyword +example: *.elastic.co + -- -*`rsa.misc.cs_av_secondary`*:: +*`file.x509.issuer.common_name`*:: + -- +List of common name (CN) of issuing certificate authority. + type: keyword +example: Example SHA2 High Assurance Server CA + -- -*`rsa.misc.cs_bgpv6nxthop`*:: +*`file.x509.issuer.country`*:: + -- +List of country (C) codes + type: keyword +example: US + -- -*`rsa.misc.cs_bit9status`*:: +*`file.x509.issuer.distinguished_name`*:: + -- +Distinguished name (DN) of issuing certificate authority. + type: keyword +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA + -- -*`rsa.misc.cs_context`*:: +*`file.x509.issuer.locality`*:: + -- +List of locality names (L) + type: keyword +example: Mountain View + -- -*`rsa.misc.cs_control`*:: +*`file.x509.issuer.organization`*:: + -- +List of organizations (O) of issuing certificate authority. + type: keyword +example: Example Inc + -- -*`rsa.misc.cs_data`*:: +*`file.x509.issuer.organizational_unit`*:: + -- +List of organizational units (OU) of issuing certificate authority. + type: keyword +example: www.example.com + -- -*`rsa.misc.cs_datecret`*:: +*`file.x509.issuer.state_or_province`*:: + -- +List of state or province names (ST, S, or P) + type: keyword +example: California + -- -*`rsa.misc.cs_dst_tld`*:: +*`file.x509.not_after`*:: + -- -type: keyword +Time at which the certificate is no longer considered valid. + +type: date + +example: 2020-07-16 03:15:39+00:00 -- -*`rsa.misc.cs_eth_dst_ven`*:: +*`file.x509.not_before`*:: + -- -type: keyword +Time at which the certificate is first considered valid. + +type: date + +example: 2019-08-16 01:40:25+00:00 -- -*`rsa.misc.cs_eth_src_ven`*:: +*`file.x509.public_key_algorithm`*:: + -- +Algorithm used to generate the public key. + type: keyword +example: RSA + -- -*`rsa.misc.cs_event_uuid`*:: +*`file.x509.public_key_curve`*:: + -- +The curve used by the elliptic curve public key algorithm. This is algorithm specific. + type: keyword +example: nistp521 + -- -*`rsa.misc.cs_filetype`*:: +*`file.x509.public_key_exponent`*:: + -- -type: keyword +Exponent used to derive the public key. This is algorithm specific. --- +type: long -*`rsa.misc.cs_fld`*:: -+ --- -type: keyword +example: 65537 + +Field is not indexed. -- -*`rsa.misc.cs_if_desc`*:: +*`file.x509.public_key_size`*:: + -- -type: keyword +The size of the public key space in bits. --- +type: long -*`rsa.misc.cs_if_name`*:: -+ --- -type: keyword +example: 2048 -- -*`rsa.misc.cs_ip_next_hop`*:: +*`file.x509.serial_number`*:: + -- +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. + type: keyword +example: 55FBB9C7DEBF09809D12CCAA + -- -*`rsa.misc.cs_ipv4dstpre`*:: +*`file.x509.signature_algorithm`*:: + -- +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + type: keyword +example: SHA256-RSA + -- -*`rsa.misc.cs_ipv4srcpre`*:: +*`file.x509.subject.common_name`*:: + -- +List of common names (CN) of subject. + type: keyword +example: shared.global.example.net + -- -*`rsa.misc.cs_lifetime`*:: +*`file.x509.subject.country`*:: + -- +List of country (C) code + type: keyword +example: US + -- -*`rsa.misc.cs_log_medium`*:: +*`file.x509.subject.distinguished_name`*:: + -- +Distinguished name (DN) of the certificate subject entity. + type: keyword +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + -- -*`rsa.misc.cs_loginname`*:: +*`file.x509.subject.locality`*:: + -- +List of locality names (L) + type: keyword +example: San Francisco + -- -*`rsa.misc.cs_modulescore`*:: +*`file.x509.subject.organization`*:: + -- +List of organizations (O) of subject. + type: keyword +example: Example, Inc. + -- -*`rsa.misc.cs_modulesign`*:: +*`file.x509.subject.organizational_unit`*:: + -- +List of organizational units (OU) of subject. + type: keyword -- -*`rsa.misc.cs_opswatresult`*:: +*`file.x509.subject.state_or_province`*:: + -- +List of state or province names (ST, S, or P) + type: keyword +example: California + -- -*`rsa.misc.cs_payload`*:: +*`file.x509.version_number`*:: + -- +Version of x509 format. + type: keyword --- +example: 3 -*`rsa.misc.cs_registrant`*:: -+ -- -type: keyword --- +[float] +=== geo -*`rsa.misc.cs_registrar`*:: -+ --- -type: keyword +Geo fields can carry data about a specific location related to an event. +This geolocation information can be derived from techniques such as Geo IP, or be user-supplied. --- -*`rsa.misc.cs_represult`*:: +*`geo.city_name`*:: + -- +City name. + type: keyword +example: Montreal + -- -*`rsa.misc.cs_rpayload`*:: +*`geo.continent_code`*:: + -- +Two-letter code representing continent's name. + type: keyword +example: NA + -- -*`rsa.misc.cs_sampler_name`*:: +*`geo.continent_name`*:: + -- +Name of the continent. + type: keyword +example: North America + -- -*`rsa.misc.cs_sourcemodule`*:: +*`geo.country_iso_code`*:: + -- +Country ISO code. + type: keyword +example: CA + -- -*`rsa.misc.cs_streams`*:: +*`geo.country_name`*:: + -- +Country name. + type: keyword +example: Canada + -- -*`rsa.misc.cs_targetmodule`*:: +*`geo.location`*:: + -- -type: keyword +Longitude and latitude. --- +type: geo_point -*`rsa.misc.cs_v6nxthop`*:: -+ --- -type: keyword +example: { "lon": -73.614830, "lat": 45.505918 } -- -*`rsa.misc.cs_whois_server`*:: +*`geo.name`*:: + -- +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. + type: keyword +example: boston-dc + -- -*`rsa.misc.cs_yararesult`*:: +*`geo.postal_code`*:: + -- +Postal code associated with the location. +Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. + type: keyword +example: 94040 + -- -*`rsa.misc.description`*:: +*`geo.region_iso_code`*:: + -- +Region ISO code. + type: keyword +example: CA-QC + -- -*`rsa.misc.devvendor`*:: +*`geo.region_name`*:: + -- +Region name. + type: keyword +example: Quebec + -- -*`rsa.misc.distance`*:: +*`geo.timezone`*:: + -- +The time zone of the location, such as IANA time zone name. + type: keyword --- +example: America/Argentina/Buenos_Aires -*`rsa.misc.dstburb`*:: -+ -- -type: keyword --- +[float] +=== group -*`rsa.misc.edomain`*:: -+ --- -type: keyword +The group fields are meant to represent groups that are relevant to the event. --- -*`rsa.misc.edomaub`*:: +*`group.domain`*:: + -- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + type: keyword -- -*`rsa.misc.euid`*:: +*`group.id`*:: + -- +Unique identifier for the group on the system/platform. + type: keyword -- -*`rsa.misc.facility`*:: +*`group.name`*:: + -- +Name of the group. + type: keyword -- -*`rsa.misc.finterface`*:: -+ --- -type: keyword +[float] +=== hash --- +The hash fields represent different bitwise hash algorithms and their values. +Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). +Note that this fieldset is used for common hashes that may be computed over a range of generic bytes. Entity-specific hashes such as ja3 or imphash are placed in the fieldsets to which they relate (tls and pe, respectively). -*`rsa.misc.flags`*:: + +*`hash.md5`*:: + -- +MD5 hash. + type: keyword -- -*`rsa.misc.gaddr`*:: +*`hash.sha1`*:: + -- +SHA1 hash. + type: keyword -- -*`rsa.misc.id3`*:: +*`hash.sha256`*:: + -- +SHA256 hash. + type: keyword -- -*`rsa.misc.im_buddyname`*:: +*`hash.sha512`*:: + -- +SHA512 hash. + type: keyword -- -*`rsa.misc.im_croomid`*:: +*`hash.ssdeep`*:: + -- +SSDEEP hash. + type: keyword -- -*`rsa.misc.im_croomtype`*:: -+ --- -type: keyword +[float] +=== host --- +A host is defined as a general computing instance. +ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. -*`rsa.misc.im_members`*:: + +*`host.architecture`*:: + -- +Operating system architecture. + type: keyword +example: x86_64 + -- -*`rsa.misc.im_username`*:: +*`host.cpu.usage`*:: + -- -type: keyword +Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. +Scaling factor: 1000. +For example: For a two core host, this value should be the average of the two cores, between 0 and 1. + +type: scaled_float -- -*`rsa.misc.ipkt`*:: +*`host.disk.read.bytes`*:: + -- -type: keyword +The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. + +type: long -- -*`rsa.misc.ipscat`*:: +*`host.disk.write.bytes`*:: + -- -type: keyword +The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. + +type: long -- -*`rsa.misc.ipspri`*:: +*`host.domain`*:: + -- +Name of the domain of which the host is a member. +For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. + type: keyword +example: CONTOSO + -- -*`rsa.misc.latitude`*:: +*`host.geo.city_name`*:: + -- +City name. + type: keyword +example: Montreal + -- -*`rsa.misc.linenum`*:: +*`host.geo.continent_code`*:: + -- +Two-letter code representing continent's name. + type: keyword +example: NA + -- -*`rsa.misc.list_name`*:: +*`host.geo.continent_name`*:: + -- +Name of the continent. + type: keyword +example: North America + -- -*`rsa.misc.load_data`*:: +*`host.geo.country_iso_code`*:: + -- +Country ISO code. + type: keyword +example: CA + -- -*`rsa.misc.location_floor`*:: +*`host.geo.country_name`*:: + -- +Country name. + type: keyword +example: Canada + -- -*`rsa.misc.location_mark`*:: +*`host.geo.location`*:: + -- -type: keyword +Longitude and latitude. --- +type: geo_point -*`rsa.misc.log_id`*:: -+ --- -type: keyword +example: { "lon": -73.614830, "lat": 45.505918 } -- -*`rsa.misc.log_type`*:: +*`host.geo.name`*:: + -- +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. + type: keyword +example: boston-dc + -- -*`rsa.misc.logid`*:: +*`host.geo.postal_code`*:: + -- +Postal code associated with the location. +Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. + type: keyword +example: 94040 + -- -*`rsa.misc.logip`*:: +*`host.geo.region_iso_code`*:: + -- +Region ISO code. + type: keyword +example: CA-QC + -- -*`rsa.misc.logname`*:: +*`host.geo.region_name`*:: + -- +Region name. + type: keyword +example: Quebec + -- -*`rsa.misc.longitude`*:: +*`host.geo.timezone`*:: + -- +The time zone of the location, such as IANA time zone name. + type: keyword +example: America/Argentina/Buenos_Aires + -- -*`rsa.misc.lport`*:: +*`host.hostname`*:: + -- +Hostname of the host. +It normally contains what the `hostname` command returns on the host machine. + type: keyword -- -*`rsa.misc.mbug_data`*:: +*`host.id`*:: + -- +Unique host id. +As hostname is not always unique, use values that are meaningful in your environment. +Example: The current usage of `beat.name`. + type: keyword -- -*`rsa.misc.misc_name`*:: +*`host.ip`*:: + -- -type: keyword +Host ip addresses. + +type: ip -- -*`rsa.misc.msg_type`*:: +*`host.mac`*:: + -- +Host MAC addresses. +The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + type: keyword +example: ["00-00-5E-00-53-23", "00-00-5E-00-53-24"] + -- -*`rsa.misc.msgid`*:: +*`host.name`*:: + -- +Name of the host. +It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. + type: keyword -- -*`rsa.misc.netsessid`*:: +*`host.network.egress.bytes`*:: + -- -type: keyword +The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. + +type: long -- -*`rsa.misc.num`*:: +*`host.network.egress.packets`*:: + -- -type: keyword +The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. + +type: long -- -*`rsa.misc.number1`*:: +*`host.network.ingress.bytes`*:: + -- -type: keyword +The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. + +type: long -- -*`rsa.misc.number2`*:: +*`host.network.ingress.packets`*:: + -- -type: keyword +The number of packets (gauge) received on all network interfaces by the host since the last metric collection. + +type: long -- -*`rsa.misc.nwwn`*:: +*`host.os.family`*:: + -- +OS family (such as redhat, debian, freebsd, windows). + type: keyword +example: debian + -- -*`rsa.misc.object`*:: +*`host.os.full`*:: + -- +Operating system name, including the version or code name. + type: keyword +example: Mac OS Mojave + -- -*`rsa.misc.operation`*:: +*`host.os.full.text`*:: + -- -type: keyword +type: text -- -*`rsa.misc.opkt`*:: +*`host.os.kernel`*:: + -- +Operating system kernel version as a raw string. + type: keyword +example: 4.4.0-112-generic + -- -*`rsa.misc.orig_from`*:: +*`host.os.name`*:: + -- +Operating system name, without the version. + type: keyword +example: Mac OS X + -- -*`rsa.misc.owner_id`*:: +*`host.os.name.text`*:: + -- -type: keyword +type: text -- -*`rsa.misc.p_action`*:: +*`host.os.platform`*:: + -- +Operating system platform (such centos, ubuntu, windows). + type: keyword +example: darwin + -- -*`rsa.misc.p_filter`*:: +*`host.os.type`*:: + -- +Use the `os.type` field to categorize the operating system into one of the broad commercial families. +One of these following values should be used (lowercase): linux, macos, unix, windows. +If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. + type: keyword +example: macos + -- -*`rsa.misc.p_group_object`*:: +*`host.os.version`*:: + -- +Operating system version as a raw string. + type: keyword +example: 10.14.1 + -- -*`rsa.misc.p_id`*:: +*`host.type`*:: + -- +Type of host. +For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. + type: keyword -- -*`rsa.misc.p_msgid1`*:: +*`host.uptime`*:: + -- -type: keyword +Seconds the host has been up. --- +type: long -*`rsa.misc.p_msgid2`*:: -+ --- -type: keyword +example: 1325 -- -*`rsa.misc.p_result1`*:: +*`host.user.domain`*:: + -- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + type: keyword -- -*`rsa.misc.password_chg`*:: +*`host.user.email`*:: + -- +User email address. + type: keyword -- -*`rsa.misc.password_expire`*:: +*`host.user.full_name`*:: + -- +User's full name, if available. + type: keyword +example: Albert Einstein + -- -*`rsa.misc.permgranted`*:: +*`host.user.full_name.text`*:: + -- -type: keyword +type: text -- -*`rsa.misc.permwanted`*:: +*`host.user.group.domain`*:: + -- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + type: keyword -- -*`rsa.misc.pgid`*:: +*`host.user.group.id`*:: + -- +Unique identifier for the group on the system/platform. + type: keyword -- -*`rsa.misc.policyUUID`*:: +*`host.user.group.name`*:: + -- +Name of the group. + type: keyword -- -*`rsa.misc.prog_asp_num`*:: +*`host.user.hash`*:: + -- +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. + type: keyword -- -*`rsa.misc.program`*:: +*`host.user.id`*:: + -- +Unique identifier of the user. + type: keyword -- -*`rsa.misc.real_data`*:: +*`host.user.name`*:: + -- +Short name or login of the user. + type: keyword +example: albert + -- -*`rsa.misc.rec_asp_device`*:: +*`host.user.name.text`*:: + -- -type: keyword +type: text -- -*`rsa.misc.rec_asp_num`*:: +*`host.user.roles`*:: + -- +Array of user roles at the time of the event. + type: keyword --- +example: ["kibana_admin", "reporting_user"] -*`rsa.misc.rec_library`*:: -+ -- -type: keyword --- +[float] +=== http -*`rsa.misc.recordnum`*:: -+ --- -type: keyword +Fields related to HTTP activity. Use the `url` field set to store the url of the request. --- -*`rsa.misc.ruid`*:: +*`http.request.body.bytes`*:: + -- -type: keyword +Size in bytes of the request body. --- +type: long -*`rsa.misc.sburb`*:: -+ --- -type: keyword +example: 887 + +format: bytes -- -*`rsa.misc.sdomain_fld`*:: +*`http.request.body.content`*:: + -- +The full HTTP request body. + type: keyword +example: Hello world + -- -*`rsa.misc.sec`*:: +*`http.request.body.content.text`*:: + -- -type: keyword +type: text -- -*`rsa.misc.sensorname`*:: +*`http.request.bytes`*:: + -- -type: keyword +Total size in bytes of the request (body and headers). --- +type: long -*`rsa.misc.seqnum`*:: -+ --- -type: keyword +example: 1437 + +format: bytes -- -*`rsa.misc.session`*:: +*`http.request.id`*:: + -- +A unique identifier for each HTTP request to correlate logs between clients and servers in transactions. +The id may be contained in a non-standard HTTP header, such as `X-Request-ID` or `X-Correlation-ID`. + type: keyword +example: 123e4567-e89b-12d3-a456-426614174000 + -- -*`rsa.misc.sessiontype`*:: +*`http.request.method`*:: + -- +HTTP request method. +Prior to ECS 1.6.0 the following guidance was provided: +"The field value must be normalized to lowercase for querying." +As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0 + type: keyword +example: GET, POST, PUT, PoST + -- -*`rsa.misc.sigUUID`*:: +*`http.request.mime_type`*:: + -- +Mime type of the body of the request. +This value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request's Content-Type header can be helpful in detecting threats or misconfigured clients. + type: keyword +example: image/gif + -- -*`rsa.misc.spi`*:: +*`http.request.referrer`*:: + -- +Referrer for this HTTP request. + type: keyword +example: https://blog.example.com/ + -- -*`rsa.misc.srcburb`*:: +*`http.response.body.bytes`*:: + -- -type: keyword +Size in bytes of the response body. --- +type: long -*`rsa.misc.srcdom`*:: -+ --- -type: keyword +example: 887 + +format: bytes -- -*`rsa.misc.srcservice`*:: +*`http.response.body.content`*:: + -- +The full HTTP response body. + type: keyword +example: Hello world + -- -*`rsa.misc.state`*:: +*`http.response.body.content.text`*:: + -- -type: keyword +type: text -- -*`rsa.misc.status1`*:: +*`http.response.bytes`*:: + -- -type: keyword +Total size in bytes of the response (body and headers). --- +type: long -*`rsa.misc.svcno`*:: -+ --- -type: keyword +example: 1437 + +format: bytes -- -*`rsa.misc.system`*:: +*`http.response.mime_type`*:: + -- +Mime type of the body of the response. +This value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response's Content-Type header can be helpful in detecting misconfigured servers. + type: keyword +example: image/gif + -- -*`rsa.misc.tbdstr1`*:: +*`http.response.status_code`*:: + -- -type: keyword +HTTP response status code. --- +type: long -*`rsa.misc.tgtdom`*:: -+ --- -type: keyword +example: 404 + +format: string -- -*`rsa.misc.tgtdomain`*:: +*`http.version`*:: + -- +HTTP version. + type: keyword --- +example: 1.1 -*`rsa.misc.threshold`*:: -+ -- -type: keyword --- +[float] +=== interface -*`rsa.misc.type1`*:: -+ --- -type: keyword +The interface fields are used to record ingress and egress interface information when reported by an observer (e.g. firewall, router, load balancer) in the context of the observer handling a network connection. In the case of a single observer interface (e.g. network sensor on a span port) only the observer.ingress information should be populated. --- -*`rsa.misc.udb_class`*:: +*`interface.alias`*:: + -- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + type: keyword +example: outside + -- -*`rsa.misc.url_fld`*:: +*`interface.id`*:: + -- +Interface ID as reported by an observer (typically SNMP interface ID). + type: keyword +example: 10 + -- -*`rsa.misc.user_div`*:: +*`interface.name`*:: + -- +Interface name as reported by the system. + type: keyword --- +example: eth0 -*`rsa.misc.userid`*:: -+ -- -type: keyword --- +[float] +=== log -*`rsa.misc.username_fld`*:: +Details about the event's logging mechanism or logging transport. +The log.* fields are typically populated with details about the logging mechanism used to create and/or transport the event. For example, syslog details belong under `log.syslog.*`. +The details specific to your event source are typically not logged under `log.*`, but rather in `event.*` or in other ECS fields. + + +*`log.file.path`*:: + -- +Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. +If the event wasn't read from a log file, do not populate this field. + type: keyword +example: /var/log/fun-times.log + -- -*`rsa.misc.utcstamp`*:: +*`log.level`*:: + -- +Original log level of the log event. +If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). +Some examples are `warn`, `err`, `i`, `informational`. + type: keyword +example: error + -- -*`rsa.misc.v_instafname`*:: +*`log.logger`*:: + -- +The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. + type: keyword +example: org.elasticsearch.bootstrap.Bootstrap + -- -*`rsa.misc.virt_data`*:: +*`log.origin.file.line`*:: + -- -type: keyword +The line number of the file containing the source code which originated the log event. + +type: integer + +example: 42 -- -*`rsa.misc.vpnid`*:: +*`log.origin.file.name`*:: + -- +The name of the file containing the source code which originated the log event. +Note that this field is not meant to capture the log file. The correct field to capture the log file is `log.file.path`. + type: keyword +example: Bootstrap.java + -- -*`rsa.misc.autorun_type`*:: +*`log.origin.function`*:: + -- -This is used to capture Auto Run type +The name of the function or method which originated the log event. type: keyword +example: init + -- -*`rsa.misc.cc_number`*:: +*`log.original`*:: + -- -Valid Credit Card Numbers only +Deprecated for removal in next major version release. This field is superseded by `event.original`. +This is the original log message and contains the full log message before splitting it up in multiple parts. +In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. +This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. -type: long +type: keyword + +example: Sep 19 08:26:10 localhost My log + +Field is not indexed. -- -*`rsa.misc.content`*:: +*`log.syslog`*:: + -- -This key captures the content type from protocol headers +The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164. -type: keyword +type: object -- -*`rsa.misc.ein_number`*:: +*`log.syslog.facility.code`*:: + -- -Employee Identification Numbers only +The Syslog numeric facility of the log event, if available. +According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. type: long +example: 23 + +format: string + -- -*`rsa.misc.found`*:: +*`log.syslog.facility.name`*:: + -- -This is used to capture the results of regex match +The Syslog text-based facility of the log event, if available. type: keyword +example: local7 + -- -*`rsa.misc.language`*:: +*`log.syslog.priority`*:: + -- -This is used to capture list of languages the client support and what it prefers +Syslog numeric priority of the event, if available. +According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. -type: keyword +type: long + +example: 135 + +format: string -- -*`rsa.misc.lifetime`*:: +*`log.syslog.severity.code`*:: + -- -This key is used to capture the session lifetime in seconds. +The Syslog numeric severity of the log event, if available. +If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. type: long +example: 3 + -- -*`rsa.misc.link`*:: +*`log.syslog.severity.name`*:: + -- -This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +The Syslog numeric severity of the log event, if available. +If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. type: keyword +example: Error + -- -*`rsa.misc.match`*:: +[float] +=== network + +The network is defined as the communication path over which a host or network event happens. +The network.* fields should be populated with details about the network activity associated with an event. + + +*`network.application`*:: + -- -This key is for regex match name from search.ini +A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". type: keyword +example: aim + -- -*`rsa.misc.param_dst`*:: +*`network.bytes`*:: + -- -This key captures the command line/launch argument of the target process or file +Total bytes transferred in both directions. +If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. -type: keyword +type: long + +example: 368 + +format: bytes -- -*`rsa.misc.param_src`*:: +*`network.community_id`*:: + -- -This key captures source parameter +A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. +Learn more at https://github.com/corelight/community-id-spec. type: keyword +example: 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0= + -- -*`rsa.misc.search_text`*:: +*`network.direction`*:: + -- -This key captures the Search Text used +Direction of the network traffic. +Recommended values are: + * ingress + * egress + * inbound + * outbound + * internal + * external + * unknown + +When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". +When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". +Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. type: keyword +example: inbound + -- -*`rsa.misc.sig_name`*:: +*`network.forwarded_ip`*:: + -- -This key is used to capture the Signature Name only. +Host IP address when the source IP address is the proxy. -type: keyword +type: ip + +example: 192.1.1.2 -- -*`rsa.misc.snmp_value`*:: +*`network.iana_number`*:: + -- -SNMP set request value +IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. type: keyword +example: 6 + -- -*`rsa.misc.streams`*:: +*`network.inner`*:: + -- -This key captures number of streams in session +Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) -type: long +type: object -- - -*`rsa.db.index`*:: +*`network.inner.vlan.id`*:: + -- -This key captures IndexID of the index. +VLAN ID as reported by the observer. type: keyword +example: 10 + -- -*`rsa.db.instance`*:: +*`network.inner.vlan.name`*:: + -- -This key is used to capture the database server instance name +Optional VLAN name as reported by the observer. type: keyword +example: outside + -- -*`rsa.db.database`*:: +*`network.name`*:: + -- -This key is used to capture the name of a database or an instance as seen in a session +Name given by operators to sections of their network. type: keyword +example: Guest Wifi + -- -*`rsa.db.transact_id`*:: +*`network.packets`*:: + -- -This key captures the SQL transantion ID of the current session +Total packets transferred in both directions. +If `source.packets` and `destination.packets` are known, `network.packets` is their sum. -type: keyword +type: long + +example: 24 -- -*`rsa.db.permissions`*:: +*`network.protocol`*:: + -- -This key captures permission or privilege level assigned to a resource. +L7 Network protocol name. ex. http, lumberjack, transport protocol. +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". type: keyword +example: http + -- -*`rsa.db.table_name`*:: +*`network.transport`*:: + -- -This key is used to capture the table name +Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". type: keyword +example: tcp + -- -*`rsa.db.db_id`*:: +*`network.type`*:: + -- -This key is used to capture the unique identifier for a database +In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". type: keyword +example: ipv4 + -- -*`rsa.db.db_pid`*:: +*`network.vlan.id`*:: + -- -This key captures the process id of a connection with database server +VLAN ID as reported by the observer. -type: long +type: keyword + +example: 10 -- -*`rsa.db.lread`*:: +*`network.vlan.name`*:: + -- -This key is used for the number of logical reads +Optional VLAN name as reported by the observer. -type: long +type: keyword --- +example: outside -*`rsa.db.lwrite`*:: -+ -- -This key is used for the number of logical writes -type: long +[float] +=== observer --- +An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics. +This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS. -*`rsa.db.pread`*:: + +*`observer.egress`*:: + -- -This key is used for the number of physical writes +Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. -type: long +type: object -- - -*`rsa.network.alias_host`*:: +*`observer.egress.interface.alias`*:: + -- -This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. type: keyword +example: outside + -- -*`rsa.network.domain`*:: +*`observer.egress.interface.id`*:: + -- +Interface ID as reported by an observer (typically SNMP interface ID). + type: keyword +example: 10 + -- -*`rsa.network.host_dst`*:: +*`observer.egress.interface.name`*:: + -- -This key should only be used when it’s a Destination Hostname +Interface name as reported by the system. type: keyword +example: eth0 + -- -*`rsa.network.network_service`*:: +*`observer.egress.vlan.id`*:: + -- -This is used to capture layer 7 protocols/service names +VLAN ID as reported by the observer. type: keyword +example: 10 + -- -*`rsa.network.interface`*:: +*`observer.egress.vlan.name`*:: + -- -This key should be used when the source or destination context of an interface is not clear +Optional VLAN name as reported by the observer. type: keyword +example: outside + -- -*`rsa.network.network_port`*:: +*`observer.egress.zone`*:: + -- -Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) +Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. -type: long +type: keyword + +example: Public_Internet -- -*`rsa.network.eth_host`*:: +*`observer.geo.city_name`*:: + -- -Deprecated, use alias.mac +City name. type: keyword +example: Montreal + -- -*`rsa.network.sinterface`*:: +*`observer.geo.continent_code`*:: + -- -This key should only be used when it’s a Source Interface +Two-letter code representing continent's name. type: keyword +example: NA + -- -*`rsa.network.dinterface`*:: +*`observer.geo.continent_name`*:: + -- -This key should only be used when it’s a Destination Interface +Name of the continent. type: keyword +example: North America + -- -*`rsa.network.vlan`*:: +*`observer.geo.country_iso_code`*:: + -- -This key should only be used to capture the ID of the Virtual LAN +Country ISO code. -type: long +type: keyword + +example: CA -- -*`rsa.network.zone_src`*:: +*`observer.geo.country_name`*:: + -- -This key should only be used when it’s a Source Zone. +Country name. type: keyword +example: Canada + -- -*`rsa.network.zone`*:: +*`observer.geo.location`*:: + -- -This key should be used when the source or destination context of a Zone is not clear +Longitude and latitude. -type: keyword +type: geo_point + +example: { "lon": -73.614830, "lat": 45.505918 } -- -*`rsa.network.zone_dst`*:: +*`observer.geo.name`*:: + -- -This key should only be used when it’s a Destination Zone. +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. type: keyword +example: boston-dc + -- -*`rsa.network.gateway`*:: +*`observer.geo.postal_code`*:: + -- -This key is used to capture the IP Address of the gateway +Postal code associated with the location. +Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. type: keyword --- - -*`rsa.network.icmp_type`*:: -+ --- -This key is used to capture the ICMP type only - -type: long +example: 94040 -- -*`rsa.network.mask`*:: +*`observer.geo.region_iso_code`*:: + -- -This key is used to capture the device network IPmask. +Region ISO code. type: keyword +example: CA-QC + -- -*`rsa.network.icmp_code`*:: +*`observer.geo.region_name`*:: + -- -This key is used to capture the ICMP code only +Region name. -type: long +type: keyword + +example: Quebec -- -*`rsa.network.protocol_detail`*:: +*`observer.geo.timezone`*:: + -- -This key should be used to capture additional protocol information +The time zone of the location, such as IANA time zone name. type: keyword +example: America/Argentina/Buenos_Aires + -- -*`rsa.network.dmask`*:: +*`observer.hostname`*:: + -- -This key is used for Destionation Device network mask +Hostname of the observer. type: keyword -- -*`rsa.network.port`*:: +*`observer.ingress`*:: + -- -This key should only be used to capture a Network Port when the directionality is not clear +Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. -type: long +type: object -- -*`rsa.network.smask`*:: +*`observer.ingress.interface.alias`*:: + -- -This key is used for capturing source Network Mask +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. type: keyword +example: outside + -- -*`rsa.network.netname`*:: +*`observer.ingress.interface.id`*:: + -- -This key is used to capture the network name associated with an IP range. This is configured by the end user. +Interface ID as reported by an observer (typically SNMP interface ID). type: keyword +example: 10 + -- -*`rsa.network.paddr`*:: +*`observer.ingress.interface.name`*:: + -- -Deprecated +Interface name as reported by the system. -type: ip +type: keyword + +example: eth0 -- -*`rsa.network.faddr`*:: +*`observer.ingress.vlan.id`*:: + -- +VLAN ID as reported by the observer. + type: keyword +example: 10 + -- -*`rsa.network.lhost`*:: +*`observer.ingress.vlan.name`*:: + -- +Optional VLAN name as reported by the observer. + type: keyword +example: outside + -- -*`rsa.network.origin`*:: +*`observer.ingress.zone`*:: + -- +Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. + type: keyword +example: DMZ + -- -*`rsa.network.remote_domain_id`*:: +*`observer.ip`*:: + -- -type: keyword +IP addresses of the observer. + +type: ip -- -*`rsa.network.addr`*:: +*`observer.mac`*:: + -- +MAC addresses of the observer. +The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + type: keyword +example: ["00-00-5E-00-53-23", "00-00-5E-00-53-24"] + -- -*`rsa.network.dns_a_record`*:: +*`observer.name`*:: + -- +Custom name of the observer. +This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. +If no custom name is needed, the field can be left empty. + type: keyword +example: 1_proxySG + -- -*`rsa.network.dns_ptr_record`*:: +*`observer.os.family`*:: + -- +OS family (such as redhat, debian, freebsd, windows). + type: keyword +example: debian + -- -*`rsa.network.fhost`*:: +*`observer.os.full`*:: + -- +Operating system name, including the version or code name. + type: keyword +example: Mac OS Mojave + -- -*`rsa.network.fport`*:: +*`observer.os.full.text`*:: + -- -type: keyword +type: text -- -*`rsa.network.laddr`*:: +*`observer.os.kernel`*:: + -- +Operating system kernel version as a raw string. + type: keyword +example: 4.4.0-112-generic + -- -*`rsa.network.linterface`*:: +*`observer.os.name`*:: + -- +Operating system name, without the version. + type: keyword +example: Mac OS X + -- -*`rsa.network.phost`*:: +*`observer.os.name.text`*:: + -- -type: keyword +type: text -- -*`rsa.network.ad_computer_dst`*:: +*`observer.os.platform`*:: + -- -Deprecated, use host.dst +Operating system platform (such centos, ubuntu, windows). type: keyword +example: darwin + -- -*`rsa.network.eth_type`*:: +*`observer.os.type`*:: + -- -This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only +Use the `os.type` field to categorize the operating system into one of the broad commercial families. +One of these following values should be used (lowercase): linux, macos, unix, windows. +If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. -type: long +type: keyword + +example: macos -- -*`rsa.network.ip_proto`*:: +*`observer.os.version`*:: + -- -This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI +Operating system version as a raw string. -type: long +type: keyword + +example: 10.14.1 -- -*`rsa.network.dns_cname_record`*:: +*`observer.product`*:: + -- +The product name of the observer. + type: keyword +example: s200 + -- -*`rsa.network.dns_id`*:: +*`observer.serial_number`*:: + -- +Observer serial number. + type: keyword -- -*`rsa.network.dns_opcode`*:: +*`observer.type`*:: + -- +The type of the observer the data is coming from. +There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + type: keyword +example: firewall + -- -*`rsa.network.dns_resp`*:: +*`observer.vendor`*:: + -- +Vendor name of the observer. + type: keyword +example: Symantec + -- -*`rsa.network.dns_type`*:: +*`observer.version`*:: + -- +Observer version. + type: keyword -- -*`rsa.network.domain1`*:: -+ --- -type: keyword +[float] +=== orchestrator --- +Fields that describe the resources which container orchestrators manage or act upon. -*`rsa.network.host_type`*:: + +*`orchestrator.api_version`*:: + -- +API version being used to carry out the action + type: keyword +example: v1beta1 + -- -*`rsa.network.packet_length`*:: +*`orchestrator.cluster.name`*:: + -- +Name of the cluster. + type: keyword -- -*`rsa.network.host_orig`*:: +*`orchestrator.cluster.url`*:: + -- -This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. +URL of the API used to manage the cluster. type: keyword -- -*`rsa.network.rpayload`*:: +*`orchestrator.cluster.version`*:: + -- -This key is used to capture the total number of payload bytes seen in the retransmitted packets. +The version of the cluster. type: keyword -- -*`rsa.network.vlan_name`*:: +*`orchestrator.namespace`*:: + -- -This key should only be used to capture the name of the Virtual LAN +Namespace in which the action is taking place. type: keyword --- +example: kube-system +-- -*`rsa.investigations.ec_activity`*:: +*`orchestrator.organization`*:: + -- -This key captures the particular event activity(Ex:Logoff) +Organization affected by the event (for multi-tenant orchestrator setups). type: keyword +example: elastic + -- -*`rsa.investigations.ec_theme`*:: +*`orchestrator.resource.name`*:: + -- -This key captures the Theme of a particular Event(Ex:Authentication) +Name of the resource being acted upon. type: keyword +example: test-pod-cdcws + -- -*`rsa.investigations.ec_subject`*:: +*`orchestrator.resource.type`*:: + -- -This key captures the Subject of a particular Event(Ex:User) +Type of resource being acted upon. type: keyword +example: service + -- -*`rsa.investigations.ec_outcome`*:: +*`orchestrator.type`*:: + -- -This key captures the outcome of a particular Event(Ex:Success) +Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). type: keyword --- +example: kubernetes -*`rsa.investigations.event_cat`*:: -+ -- -This key captures the Event category number -type: long +[float] +=== organization --- +The organization fields enrich data with information about the company or entity the data is associated with. +These fields help you arrange or filter data stored in an index by one or multiple organizations. -*`rsa.investigations.event_cat_name`*:: + +*`organization.id`*:: + -- -This key captures the event category name corresponding to the event cat code +Unique identifier for the organization. type: keyword -- -*`rsa.investigations.event_vcat`*:: +*`organization.name`*:: + -- -This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. +Organization name. type: keyword -- -*`rsa.investigations.analysis_file`*:: +*`organization.name.text`*:: + -- -This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - -type: keyword +type: text -- -*`rsa.investigations.analysis_service`*:: +[float] +=== os + +The OS fields contain information about the operating system. + + +*`os.family`*:: + -- -This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service +OS family (such as redhat, debian, freebsd, windows). type: keyword +example: debian + -- -*`rsa.investigations.analysis_session`*:: +*`os.full`*:: + -- -This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session +Operating system name, including the version or code name. type: keyword +example: Mac OS Mojave + -- -*`rsa.investigations.boc`*:: +*`os.full.text`*:: + -- -This is used to capture behaviour of compromise - -type: keyword +type: text -- -*`rsa.investigations.eoc`*:: +*`os.kernel`*:: + -- -This is used to capture Enablers of Compromise +Operating system kernel version as a raw string. type: keyword +example: 4.4.0-112-generic + -- -*`rsa.investigations.inv_category`*:: +*`os.name`*:: + -- -This used to capture investigation category +Operating system name, without the version. type: keyword +example: Mac OS X + -- -*`rsa.investigations.inv_context`*:: +*`os.name.text`*:: + -- -This used to capture investigation context - -type: keyword +type: text -- -*`rsa.investigations.ioc`*:: +*`os.platform`*:: + -- -This is key capture indicator of compromise +Operating system platform (such centos, ubuntu, windows). type: keyword --- +example: darwin +-- -*`rsa.counters.dclass_c1`*:: +*`os.type`*:: + -- -This is a generic counter key that should be used with the label dclass.c1.str only +Use the `os.type` field to categorize the operating system into one of the broad commercial families. +One of these following values should be used (lowercase): linux, macos, unix, windows. +If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. -type: long +type: keyword + +example: macos -- -*`rsa.counters.dclass_c2`*:: +*`os.version`*:: + -- -This is a generic counter key that should be used with the label dclass.c2.str only +Operating system version as a raw string. -type: long +type: keyword --- +example: 10.14.1 -*`rsa.counters.event_counter`*:: -+ -- -This is used to capture the number of times an event repeated -type: long +[float] +=== package --- +These fields contain information about an installed software package. It contains general information about a package, such as name, version or size. It also contains installation details, such as time or location. -*`rsa.counters.dclass_r1`*:: + +*`package.architecture`*:: + -- -This is a generic ratio key that should be used with the label dclass.r1.str only +Package architecture. type: keyword +example: x86_64 + -- -*`rsa.counters.dclass_c3`*:: +*`package.build_version`*:: + -- -This is a generic counter key that should be used with the label dclass.c3.str only +Additional information about the build version of the installed package. +For example use the commit SHA of a non-released package. -type: long +type: keyword + +example: 36f4f7e89dd61b0988b12ee000b98966867710cd -- -*`rsa.counters.dclass_c1_str`*:: +*`package.checksum`*:: + -- -This is a generic counter string key that should be used with the label dclass.c1 only +Checksum of the installed package for verification. type: keyword +example: 68b329da9893e34099c7d8ad5cb9c940 + -- -*`rsa.counters.dclass_c2_str`*:: +*`package.description`*:: + -- -This is a generic counter string key that should be used with the label dclass.c2 only +Description of the package. type: keyword +example: Open source programming language to build simple/reliable/efficient software. + -- -*`rsa.counters.dclass_r1_str`*:: +*`package.install_scope`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r1 only +Indicating how the package was installed, e.g. user-local, global. type: keyword +example: global + -- -*`rsa.counters.dclass_r2`*:: +*`package.installed`*:: + -- -This is a generic ratio key that should be used with the label dclass.r2.str only +Time when package was installed. -type: keyword +type: date -- -*`rsa.counters.dclass_c3_str`*:: +*`package.license`*:: + -- -This is a generic counter string key that should be used with the label dclass.c3 only +License under which the package was released. +Use a short name, e.g. the license identifier from SPDX License List where possible (https://spdx.org/licenses/). type: keyword +example: Apache License 2.0 + -- -*`rsa.counters.dclass_r3`*:: +*`package.name`*:: + -- -This is a generic ratio key that should be used with the label dclass.r3.str only +Package name type: keyword +example: go + -- -*`rsa.counters.dclass_r2_str`*:: +*`package.path`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r2 only +Path where the package is installed. type: keyword +example: /usr/local/Cellar/go/1.12.9/ + -- -*`rsa.counters.dclass_r3_str`*:: +*`package.reference`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r3 only +Home page or reference URL of the software in this package, if available. type: keyword --- +example: https://golang.org +-- -*`rsa.identity.auth_method`*:: +*`package.size`*:: + -- -This key is used to capture authentication methods used only +Package size in bytes. -type: keyword +type: long + +example: 62231 + +format: string -- -*`rsa.identity.user_role`*:: +*`package.type`*:: + -- -This key is used to capture the Role of a user only +Type of package. +This should contain the package file type, rather than the package manager name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar. type: keyword +example: rpm + -- -*`rsa.identity.dn`*:: +*`package.version`*:: + -- -X.500 (LDAP) Distinguished Name +Package version type: keyword --- +example: 1.12.9 -*`rsa.identity.logon_type`*:: -+ -- -This key is used to capture the type of logon method used. -type: keyword +[float] +=== pe --- +These fields contain Windows Portable Executable (PE) metadata. -*`rsa.identity.profile`*:: + +*`pe.architecture`*:: + -- -This key is used to capture the user profile +CPU architecture target for the file. type: keyword +example: x64 + -- -*`rsa.identity.accesses`*:: +*`pe.company`*:: + -- -This key is used to capture actual privileges used in accessing an object +Internal company name of the file, provided at compile-time. type: keyword +example: Microsoft Corporation + -- -*`rsa.identity.realm`*:: +*`pe.description`*:: + -- -Radius realm or similar grouping of accounts +Internal description of the file, provided at compile-time. type: keyword +example: Paint + -- -*`rsa.identity.user_sid_dst`*:: +*`pe.file_version`*:: + -- -This key captures Destination User Session ID +Internal version of the file, provided at compile-time. type: keyword +example: 6.3.9600.17415 + -- -*`rsa.identity.dn_src`*:: +*`pe.imphash`*:: + -- -An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. type: keyword +example: 0c6803c4e922103c4dca5963aad36ddf + -- -*`rsa.identity.org`*:: +*`pe.original_file_name`*:: + -- -This key captures the User organization +Internal name of the file, provided at compile-time. type: keyword +example: MSPAINT.EXE + -- -*`rsa.identity.dn_dst`*:: +*`pe.product`*:: + -- -An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn +Internal product name of the file, provided at compile-time. type: keyword --- +example: Microsoft® Windows® Operating System -*`rsa.identity.firstname`*:: -+ -- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information -type: keyword +[float] +=== process --- +These fields contain information about a process. +These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. -*`rsa.identity.lastname`*:: + +*`process.args`*:: + -- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information +Array of process arguments, starting with the absolute path to the executable. +May be filtered to protect sensitive information. type: keyword +example: ["/usr/bin/ssh", "-l", "user", "10.0.0.16"] + -- -*`rsa.identity.user_dept`*:: +*`process.args_count`*:: + -- -User's Department Names only +Length of the process.args array. +This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. -type: keyword +type: long + +example: 4 -- -*`rsa.identity.user_sid_src`*:: +*`process.code_signature.exists`*:: + -- -This key captures Source User Session ID +Boolean to capture if a signature is present. -type: keyword +type: boolean + +example: true -- -*`rsa.identity.federated_sp`*:: +*`process.code_signature.signing_id`*:: + -- -This key is the Federated Service Provider. This is the application requesting authentication. +The identifier used to sign the process. +This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. type: keyword +example: com.apple.xpc.proxy + -- -*`rsa.identity.federated_idp`*:: +*`process.code_signature.status`*:: + -- -This key is the federated Identity Provider. This is the server providing the authentication. +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. type: keyword +example: ERROR_UNTRUSTED_ROOT + -- -*`rsa.identity.logon_type_desc`*:: +*`process.code_signature.subject_name`*:: + -- -This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. +Subject name of the code signer type: keyword +example: Microsoft Corporation + -- -*`rsa.identity.middlename`*:: +*`process.code_signature.team_id`*:: + -- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information +The team identifier used to sign the process. +This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. type: keyword +example: EQHXZ8M8AV + -- -*`rsa.identity.password`*:: +*`process.code_signature.trusted`*:: + -- -This key is for Passwords seen in any session, plain text or encrypted +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. -type: keyword +type: boolean + +example: true -- -*`rsa.identity.host_role`*:: +*`process.code_signature.valid`*:: + -- -This key should only be used to capture the role of a Host Machine +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. -type: keyword +type: boolean + +example: true -- -*`rsa.identity.ldap`*:: +*`process.command_line`*:: + -- -This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context +Full command line that started the process, including the absolute path to the executable, and all arguments. +Some arguments may be filtered to protect sensitive information. type: keyword +example: /usr/bin/ssh -l user 10.0.0.16 + -- -*`rsa.identity.ldap_query`*:: +*`process.command_line.text`*:: + -- -This key is the Search criteria from an LDAP search - -type: keyword +type: text -- -*`rsa.identity.ldap_response`*:: +*`process.elf.architecture`*:: + -- -This key is to capture Results from an LDAP search +Machine architecture of the ELF file. type: keyword +example: x86-64 + -- -*`rsa.identity.owner`*:: +*`process.elf.byte_order`*:: + -- -This is used to capture username the process or service is running as, the author of the task +Byte sequence of ELF file. type: keyword +example: Little Endian + -- -*`rsa.identity.service_account`*:: +*`process.elf.cpu_type`*:: + -- -This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage +CPU type of the ELF file. type: keyword --- +example: Intel +-- -*`rsa.email.email_dst`*:: +*`process.elf.creation_date`*:: + -- -This key is used to capture the Destination email address only, when the destination context is not clear use email +Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. -type: keyword +type: date -- -*`rsa.email.email_src`*:: +*`process.elf.exports`*:: + -- -This key is used to capture the source email address only, when the source context is not clear use email +List of exported element names and types. -type: keyword +type: flattened -- -*`rsa.email.subject`*:: +*`process.elf.header.abi_version`*:: + -- -This key is used to capture the subject string from an Email only. +Version of the ELF Application Binary Interface (ABI). type: keyword -- -*`rsa.email.email`*:: +*`process.elf.header.class`*:: + -- -This key is used to capture a generic email address where the source or destination context is not clear +Header class of the ELF file. type: keyword -- -*`rsa.email.trans_from`*:: +*`process.elf.header.data`*:: + -- -Deprecated key defined only in table map. +Data table of the ELF header. type: keyword -- -*`rsa.email.trans_to`*:: +*`process.elf.header.entrypoint`*:: + -- -Deprecated key defined only in table map. +Header entrypoint of the ELF file. -type: keyword +type: long --- +format: string +-- -*`rsa.file.privilege`*:: +*`process.elf.header.object_version`*:: + -- -Deprecated, use permissions +"0x1" for original ELF files. type: keyword -- -*`rsa.file.attachment`*:: +*`process.elf.header.os_abi`*:: + -- -This key captures the attachment file name +Application Binary Interface (ABI) of the Linux OS. type: keyword -- -*`rsa.file.filesystem`*:: +*`process.elf.header.type`*:: + -- +Header type of the ELF file. + type: keyword -- -*`rsa.file.binary`*:: +*`process.elf.header.version`*:: + -- -Deprecated key defined only in table map. +Version of the ELF header. type: keyword -- -*`rsa.file.filename_dst`*:: +*`process.elf.imports`*:: + -- -This is used to capture name of the file targeted by the action +List of imported element names and types. -type: keyword +type: flattened -- -*`rsa.file.filename_src`*:: +*`process.elf.sections`*:: + -- -This is used to capture name of the parent filename, the file which performed the action +An array containing an object for each section of the ELF file. +The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`. -type: keyword +type: nested -- -*`rsa.file.filename_tmp`*:: +*`process.elf.sections.chi2`*:: + -- -type: keyword +Chi-square probability distribution of the section. + +type: long + +format: number -- -*`rsa.file.directory_dst`*:: +*`process.elf.sections.entropy`*:: + -- -This key is used to capture the directory of the target process or file +Shannon entropy calculation from the section. -type: keyword +type: long + +format: number -- -*`rsa.file.directory_src`*:: +*`process.elf.sections.flags`*:: + -- -This key is used to capture the directory of the source process or file +ELF Section List flags. type: keyword -- -*`rsa.file.file_entropy`*:: +*`process.elf.sections.name`*:: + -- -This is used to capture entropy vale of a file +ELF Section List name. -type: double +type: keyword -- -*`rsa.file.file_vendor`*:: +*`process.elf.sections.physical_offset`*:: + -- -This is used to capture Company name of file located in version_info +ELF Section List offset. type: keyword -- -*`rsa.file.task_name`*:: +*`process.elf.sections.physical_size`*:: + -- -This is used to capture name of the task +ELF Section List physical size. -type: keyword +type: long --- +format: bytes +-- -*`rsa.web.fqdn`*:: +*`process.elf.sections.type`*:: + -- -Fully Qualified Domain Names +ELF Section List type. type: keyword -- -*`rsa.web.web_cookie`*:: +*`process.elf.sections.virtual_address`*:: + -- -This key is used to capture the Web cookies specifically. +ELF Section List virtual address. -type: keyword +type: long + +format: string -- -*`rsa.web.alias_host`*:: +*`process.elf.sections.virtual_size`*:: + -- -type: keyword +ELF Section List virtual size. + +type: long + +format: string -- -*`rsa.web.reputation_num`*:: +*`process.elf.segments`*:: + -- -Reputation Number of an entity. Typically used for Web Domains +An array containing an object for each segment of the ELF file. +The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`. -type: double +type: nested -- -*`rsa.web.web_ref_domain`*:: +*`process.elf.segments.sections`*:: + -- -Web referer's domain +ELF object segment sections. type: keyword -- -*`rsa.web.web_ref_query`*:: +*`process.elf.segments.type`*:: + -- -This key captures Web referer's query portion of the URL +ELF object segment type. type: keyword -- -*`rsa.web.remote_domain`*:: +*`process.elf.shared_libraries`*:: + -- +List of shared libraries used by this ELF object. + type: keyword -- -*`rsa.web.web_ref_page`*:: +*`process.elf.telfhash`*:: + -- -This key captures Web referer's page information +telfhash symbol hash for ELF file. type: keyword -- -*`rsa.web.web_ref_root`*:: +*`process.entity_id`*:: + -- -Web referer's root URL path +Unique identifier for the process. +The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. +Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. type: keyword +example: c2c455d9f99375d + -- -*`rsa.web.cn_asn_dst`*:: +*`process.executable`*:: + -- +Absolute path to the process executable. + type: keyword +example: /usr/bin/ssh + -- -*`rsa.web.cn_rpackets`*:: +*`process.executable.text`*:: + -- -type: keyword +type: text -- -*`rsa.web.urlpage`*:: +*`process.exit_code`*:: + -- -type: keyword +The exit code of the process, if this is a termination event. +The field should be absent if there is no exit code for the event (e.g. process start). --- +type: long -*`rsa.web.urlroot`*:: -+ --- -type: keyword +example: 137 -- -*`rsa.web.p_url`*:: +*`process.hash.md5`*:: + -- +MD5 hash. + type: keyword -- -*`rsa.web.p_user_agent`*:: +*`process.hash.sha1`*:: + -- +SHA1 hash. + type: keyword -- -*`rsa.web.p_web_cookie`*:: +*`process.hash.sha256`*:: + -- +SHA256 hash. + type: keyword -- -*`rsa.web.p_web_method`*:: +*`process.hash.sha512`*:: + -- +SHA512 hash. + type: keyword -- -*`rsa.web.p_web_referer`*:: +*`process.hash.ssdeep`*:: + -- +SSDEEP hash. + type: keyword -- -*`rsa.web.web_extension_tmp`*:: +*`process.name`*:: + -- +Process name. +Sometimes called program name or similar. + type: keyword +example: ssh + -- -*`rsa.web.web_page`*:: +*`process.name.text`*:: + -- -type: keyword +type: text -- - -*`rsa.threat.threat_category`*:: +*`process.parent.args`*:: + -- -This key captures Threat Name/Threat Category/Categorization of alert +Array of process arguments, starting with the absolute path to the executable. +May be filtered to protect sensitive information. type: keyword +example: ["/usr/bin/ssh", "-l", "user", "10.0.0.16"] + -- -*`rsa.threat.threat_desc`*:: +*`process.parent.args_count`*:: + -- -This key is used to capture the threat description from the session directly or inferred +Length of the process.args array. +This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. -type: keyword +type: long + +example: 4 -- -*`rsa.threat.alert`*:: +*`process.parent.code_signature.exists`*:: + -- -This key is used to capture name of the alert +Boolean to capture if a signature is present. -type: keyword +type: boolean + +example: true -- -*`rsa.threat.threat_source`*:: +*`process.parent.code_signature.signing_id`*:: + -- -This key is used to capture source of the threat +The identifier used to sign the process. +This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. type: keyword --- +example: com.apple.xpc.proxy +-- -*`rsa.crypto.crypto`*:: +*`process.parent.code_signature.status`*:: + -- -This key is used to capture the Encryption Type or Encryption Key only +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. type: keyword +example: ERROR_UNTRUSTED_ROOT + -- -*`rsa.crypto.cipher_src`*:: +*`process.parent.code_signature.subject_name`*:: + -- -This key is for Source (Client) Cipher +Subject name of the code signer type: keyword +example: Microsoft Corporation + -- -*`rsa.crypto.cert_subject`*:: +*`process.parent.code_signature.team_id`*:: + -- -This key is used to capture the Certificate organization only +The team identifier used to sign the process. +This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. type: keyword +example: EQHXZ8M8AV + -- -*`rsa.crypto.peer`*:: +*`process.parent.code_signature.trusted`*:: + -- -This key is for Encryption peer's IP Address +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. -type: keyword +type: boolean + +example: true -- -*`rsa.crypto.cipher_size_src`*:: +*`process.parent.code_signature.valid`*:: + -- -This key captures Source (Client) Cipher Size +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. -type: long +type: boolean + +example: true -- -*`rsa.crypto.ike`*:: +*`process.parent.command_line`*:: + -- -IKE negotiation phase. +Full command line that started the process, including the absolute path to the executable, and all arguments. +Some arguments may be filtered to protect sensitive information. type: keyword +example: /usr/bin/ssh -l user 10.0.0.16 + -- -*`rsa.crypto.scheme`*:: +*`process.parent.command_line.text`*:: + -- -This key captures the Encryption scheme used - -type: keyword +type: text -- -*`rsa.crypto.peer_id`*:: +*`process.parent.elf.architecture`*:: + -- -This key is for Encryption peer’s identity +Machine architecture of the ELF file. type: keyword +example: x86-64 + -- -*`rsa.crypto.sig_type`*:: +*`process.parent.elf.byte_order`*:: + -- -This key captures the Signature Type +Byte sequence of ELF file. type: keyword +example: Little Endian + -- -*`rsa.crypto.cert_issuer`*:: +*`process.parent.elf.cpu_type`*:: + -- +CPU type of the ELF file. + type: keyword +example: Intel + -- -*`rsa.crypto.cert_host_name`*:: +*`process.parent.elf.creation_date`*:: + -- -Deprecated key defined only in table map. +Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. -type: keyword +type: date -- -*`rsa.crypto.cert_error`*:: +*`process.parent.elf.exports`*:: + -- -This key captures the Certificate Error String +List of exported element names and types. -type: keyword +type: flattened -- -*`rsa.crypto.cipher_dst`*:: +*`process.parent.elf.header.abi_version`*:: + -- -This key is for Destination (Server) Cipher +Version of the ELF Application Binary Interface (ABI). type: keyword -- -*`rsa.crypto.cipher_size_dst`*:: +*`process.parent.elf.header.class`*:: + -- -This key captures Destination (Server) Cipher Size +Header class of the ELF file. -type: long +type: keyword -- -*`rsa.crypto.ssl_ver_src`*:: +*`process.parent.elf.header.data`*:: + -- -Deprecated, use version +Data table of the ELF header. type: keyword -- -*`rsa.crypto.d_certauth`*:: +*`process.parent.elf.header.entrypoint`*:: + -- -type: keyword +Header entrypoint of the ELF file. --- +type: long -*`rsa.crypto.s_certauth`*:: -+ --- -type: keyword +format: string -- -*`rsa.crypto.ike_cookie1`*:: +*`process.parent.elf.header.object_version`*:: + -- -ID of the negotiation — sent for ISAKMP Phase One +"0x1" for original ELF files. type: keyword -- -*`rsa.crypto.ike_cookie2`*:: +*`process.parent.elf.header.os_abi`*:: + -- -ID of the negotiation — sent for ISAKMP Phase Two +Application Binary Interface (ABI) of the Linux OS. type: keyword -- -*`rsa.crypto.cert_checksum`*:: +*`process.parent.elf.header.type`*:: + -- +Header type of the ELF file. + type: keyword -- -*`rsa.crypto.cert_host_cat`*:: +*`process.parent.elf.header.version`*:: + -- -This key is used for the hostname category value of a certificate +Version of the ELF header. type: keyword -- -*`rsa.crypto.cert_serial`*:: +*`process.parent.elf.imports`*:: + -- -This key is used to capture the Certificate serial number only +List of imported element names and types. -type: keyword +type: flattened -- -*`rsa.crypto.cert_status`*:: +*`process.parent.elf.sections`*:: + -- -This key captures Certificate validation status +An array containing an object for each section of the ELF file. +The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`. -type: keyword +type: nested -- -*`rsa.crypto.ssl_ver_dst`*:: +*`process.parent.elf.sections.chi2`*:: + -- -Deprecated, use version +Chi-square probability distribution of the section. -type: keyword +type: long + +format: number -- -*`rsa.crypto.cert_keysize`*:: +*`process.parent.elf.sections.entropy`*:: + -- -type: keyword +Shannon entropy calculation from the section. --- +type: long -*`rsa.crypto.cert_username`*:: -+ --- -type: keyword +format: number -- -*`rsa.crypto.https_insact`*:: +*`process.parent.elf.sections.flags`*:: + -- +ELF Section List flags. + type: keyword -- -*`rsa.crypto.https_valid`*:: +*`process.parent.elf.sections.name`*:: + -- +ELF Section List name. + type: keyword -- -*`rsa.crypto.cert_ca`*:: +*`process.parent.elf.sections.physical_offset`*:: + -- -This key is used to capture the Certificate signing authority only +ELF Section List offset. type: keyword -- -*`rsa.crypto.cert_common`*:: +*`process.parent.elf.sections.physical_size`*:: + -- -This key is used to capture the Certificate common name only +ELF Section List physical size. -type: keyword +type: long --- +format: bytes +-- -*`rsa.wireless.wlan_ssid`*:: +*`process.parent.elf.sections.type`*:: + -- -This key is used to capture the ssid of a Wireless Session +ELF Section List type. type: keyword -- -*`rsa.wireless.access_point`*:: +*`process.parent.elf.sections.virtual_address`*:: + -- -This key is used to capture the access point name. +ELF Section List virtual address. -type: keyword +type: long + +format: string -- -*`rsa.wireless.wlan_channel`*:: +*`process.parent.elf.sections.virtual_size`*:: + -- -This is used to capture the channel names +ELF Section List virtual size. type: long +format: string + -- -*`rsa.wireless.wlan_name`*:: +*`process.parent.elf.segments`*:: + -- -This key captures either WLAN number/name +An array containing an object for each segment of the ELF file. +The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`. -type: keyword +type: nested -- - -*`rsa.storage.disk_volume`*:: +*`process.parent.elf.segments.sections`*:: + -- -A unique name assigned to logical units (volumes) within a physical disk +ELF object segment sections. type: keyword -- -*`rsa.storage.lun`*:: +*`process.parent.elf.segments.type`*:: + -- -Logical Unit Number.This key is a very useful concept in Storage. +ELF object segment type. type: keyword -- -*`rsa.storage.pwwn`*:: +*`process.parent.elf.shared_libraries`*:: + -- -This uniquely identifies a port on a HBA. +List of shared libraries used by this ELF object. type: keyword -- - -*`rsa.physical.org_dst`*:: +*`process.parent.elf.telfhash`*:: + -- -This is used to capture the destination organization based on the GEOPIP Maxmind database. +telfhash symbol hash for ELF file. type: keyword -- -*`rsa.physical.org_src`*:: +*`process.parent.entity_id`*:: + -- -This is used to capture the source organization based on the GEOPIP Maxmind database. +Unique identifier for the process. +The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. +Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. type: keyword --- +example: c2c455d9f99375d +-- -*`rsa.healthcare.patient_fname`*:: +*`process.parent.executable`*:: + -- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information +Absolute path to the process executable. type: keyword +example: /usr/bin/ssh + -- -*`rsa.healthcare.patient_id`*:: +*`process.parent.executable.text`*:: + -- -This key captures the unique ID for a patient - -type: keyword +type: text -- -*`rsa.healthcare.patient_lname`*:: +*`process.parent.exit_code`*:: + -- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information +The exit code of the process, if this is a termination event. +The field should be absent if there is no exit code for the event (e.g. process start). -type: keyword +type: long + +example: 137 -- -*`rsa.healthcare.patient_mname`*:: +*`process.parent.hash.md5`*:: + -- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information +MD5 hash. type: keyword -- - -*`rsa.endpoint.host_state`*:: +*`process.parent.hash.sha1`*:: + -- -This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on +SHA1 hash. type: keyword -- -*`rsa.endpoint.registry_key`*:: +*`process.parent.hash.sha256`*:: + -- -This key captures the path to the registry key +SHA256 hash. type: keyword -- -*`rsa.endpoint.registry_value`*:: +*`process.parent.hash.sha512`*:: + -- -This key captures values or decorators used within a registry entry +SHA512 hash. type: keyword -- -[[exported-fields-docker-processor]] -== Docker fields - -Docker stats collected from Docker. - - - - -*`docker.container.id`*:: +*`process.parent.hash.ssdeep`*:: + -- -type: alias +SSDEEP hash. -alias to: container.id +type: keyword -- -*`docker.container.image`*:: +*`process.parent.name`*:: + -- -type: alias +Process name. +Sometimes called program name or similar. -alias to: container.image.name +type: keyword + +example: ssh -- -*`docker.container.name`*:: +*`process.parent.name.text`*:: + -- -type: alias - -alias to: container.name +type: text -- -*`docker.container.labels`*:: +*`process.parent.pe.architecture`*:: + -- -Image labels. +CPU architecture target for the file. +type: keyword -type: object +example: x64 -- -[[exported-fields-ecs]] -== ECS fields - - -This section defines Elastic Common Schema (ECS) fields—a common set of fields -to be used when storing event data in {es}. - -This is an exhaustive list, and fields listed here are not necessarily used by {beatname_uc}. -The goal of ECS is to enable and encourage users of {es} to normalize their event data, -so that they can better analyze, visualize, and correlate the data represented in their events. - -See the {ecs-ref}[ECS reference] for more information. - -*`@timestamp`*:: +*`process.parent.pe.company`*:: + -- -Date/time when the event originated. -This is the date/time extracted from the event, typically representing when the event was generated by the source. -If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. -Required field for all events. - -type: date +Internal company name of the file, provided at compile-time. -example: 2016-05-23T08:05:34.853Z +type: keyword -required: True +example: Microsoft Corporation -- -*`labels`*:: +*`process.parent.pe.description`*:: + -- -Custom key/value pairs. -Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. -Example: `docker` and `k8s` labels. +Internal description of the file, provided at compile-time. -type: object +type: keyword -example: {"application": "foo-bar", "env": "production"} +example: Paint -- -*`message`*:: +*`process.parent.pe.file_version`*:: + -- -For log events the message field contains the log message, optimized for viewing in a log viewer. -For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. -If multiple messages exist, they can be combined into one message. +Internal version of the file, provided at compile-time. -type: text +type: keyword -example: Hello World +example: 6.3.9600.17415 -- -*`tags`*:: +*`process.parent.pe.imphash`*:: + -- -List of keywords used to tag each event. +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. type: keyword -example: ["production", "env2"] +example: 0c6803c4e922103c4dca5963aad36ddf -- -[float] -=== agent - -The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. -Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken. - - -*`agent.build.original`*:: +*`process.parent.pe.original_file_name`*:: + -- -Extended build information for the agent. -This field is intended to contain any build information that a data source may provide, no specific formatting is required. +Internal name of the file, provided at compile-time. type: keyword -example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC] +example: MSPAINT.EXE -- -*`agent.ephemeral_id`*:: +*`process.parent.pe.product`*:: + -- -Ephemeral identifier of this agent (if one exists). -This id normally changes across restarts, but `agent.id` does not. +Internal product name of the file, provided at compile-time. type: keyword -example: 8a4f500f +example: Microsoft® Windows® Operating System -- -*`agent.id`*:: +*`process.parent.pgid`*:: + -- -Unique identifier of this agent (if one exists). -Example: For Beats this would be beat.id. +Identifier of the group of processes the process belongs to. -type: keyword +type: long -example: 8a4f500d +format: string -- -*`agent.name`*:: +*`process.parent.pid`*:: + -- -Custom name of the agent. -This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. -If no name is given, the name is often left empty. +Process id. -type: keyword +type: long -example: foo +example: 4242 + +format: string -- -*`agent.type`*:: +*`process.parent.ppid`*:: + -- -Type of the agent. -The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. +Parent process' pid. -type: keyword +type: long -example: filebeat +example: 4241 + +format: string -- -*`agent.version`*:: +*`process.parent.start`*:: + -- -Version of the agent. +The time the process started. -type: keyword +type: date -example: 6.0.0-rc2 +example: 2016-05-23T08:05:34.853Z -- -[float] -=== as - -An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet. - - -*`as.number`*:: +*`process.parent.thread.id`*:: + -- -Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. +Thread ID. type: long -example: 15169 +example: 4242 + +format: string -- -*`as.organization.name`*:: +*`process.parent.thread.name`*:: + -- -Organization name. +Thread name. type: keyword -example: Google LLC +example: thread-0 -- -*`as.organization.name.text`*:: +*`process.parent.title`*:: + -- -type: text - --- - -[float] -=== client +Process title. +The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. -A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records. -For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events. -Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. +type: keyword +-- -*`client.address`*:: +*`process.parent.title.text`*:: + -- -Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. -Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - -type: keyword +type: text -- -*`client.as.number`*:: +*`process.parent.uptime`*:: + -- -Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. +Seconds the process has been up. type: long -example: 15169 +example: 1325 -- -*`client.as.organization.name`*:: +*`process.parent.working_directory`*:: + -- -Organization name. +The working directory of the process. type: keyword -example: Google LLC +example: /home/alice -- -*`client.as.organization.name.text`*:: +*`process.parent.working_directory.text`*:: + -- type: text -- -*`client.bytes`*:: +*`process.pe.architecture`*:: + -- -Bytes sent from the client to the server. - -type: long +CPU architecture target for the file. -example: 184 +type: keyword -format: bytes +example: x64 -- -*`client.domain`*:: +*`process.pe.company`*:: + -- -Client domain. +Internal company name of the file, provided at compile-time. type: keyword +example: Microsoft Corporation + -- -*`client.geo.city_name`*:: +*`process.pe.description`*:: + -- -City name. +Internal description of the file, provided at compile-time. type: keyword -example: Montreal +example: Paint -- -*`client.geo.continent_code`*:: +*`process.pe.file_version`*:: + -- -Two-letter code representing continent's name. +Internal version of the file, provided at compile-time. type: keyword -example: NA +example: 6.3.9600.17415 -- -*`client.geo.continent_name`*:: +*`process.pe.imphash`*:: + -- -Name of the continent. +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. type: keyword -example: North America +example: 0c6803c4e922103c4dca5963aad36ddf -- -*`client.geo.country_iso_code`*:: +*`process.pe.original_file_name`*:: + -- -Country ISO code. +Internal name of the file, provided at compile-time. type: keyword -example: CA +example: MSPAINT.EXE -- -*`client.geo.country_name`*:: +*`process.pe.product`*:: + -- -Country name. +Internal product name of the file, provided at compile-time. type: keyword -example: Canada +example: Microsoft® Windows® Operating System -- -*`client.geo.location`*:: +*`process.pgid`*:: + -- -Longitude and latitude. +Identifier of the group of processes the process belongs to. -type: geo_point +type: long -example: { "lon": -73.614830, "lat": 45.505918 } +format: string -- -*`client.geo.name`*:: +*`process.pid`*:: + -- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. +Process id. -type: keyword +type: long -example: boston-dc +example: 4242 + +format: string -- -*`client.geo.postal_code`*:: +*`process.ppid`*:: + -- -Postal code associated with the location. -Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. +Parent process' pid. -type: keyword +type: long -example: 94040 +example: 4241 + +format: string -- -*`client.geo.region_iso_code`*:: +*`process.start`*:: + -- -Region ISO code. +The time the process started. -type: keyword +type: date -example: CA-QC +example: 2016-05-23T08:05:34.853Z -- -*`client.geo.region_name`*:: +*`process.thread.id`*:: + -- -Region name. +Thread ID. -type: keyword +type: long -example: Quebec +example: 4242 + +format: string -- -*`client.geo.timezone`*:: +*`process.thread.name`*:: + -- -The time zone of the location, such as IANA time zone name. +Thread name. type: keyword -example: America/Argentina/Buenos_Aires +example: thread-0 -- -*`client.ip`*:: +*`process.title`*:: + -- -IP address of the client (IPv4 or IPv6). +Process title. +The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. -type: ip +type: keyword -- -*`client.mac`*:: +*`process.title.text`*:: + -- -MAC address of the client. -The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - -type: keyword - -example: 00-00-5E-00-53-23 +type: text -- -*`client.nat.ip`*:: +*`process.uptime`*:: + -- -Translated IP of source based NAT sessions (e.g. internal client to internet). -Typically connections traversing load balancers, firewalls, or routers. +Seconds the process has been up. -type: ip +type: long + +example: 1325 -- -*`client.nat.port`*:: +*`process.working_directory`*:: + -- -Translated port of source based NAT sessions (e.g. internal client to internet). -Typically connections traversing load balancers, firewalls, or routers. +The working directory of the process. -type: long +type: keyword -format: string +example: /home/alice -- -*`client.packets`*:: +*`process.working_directory.text`*:: + -- -Packets sent from the client to the server. +type: text -type: long +-- -example: 12 +[float] +=== registry --- +Fields related to Windows Registry operations. -*`client.port`*:: + +*`registry.data.bytes`*:: + -- -Port of the client. +Original bytes written with base64 encoding. +For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values. -type: long +type: keyword -format: string +example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= -- -*`client.registered_domain`*:: +*`registry.data.strings`*:: + -- -The highest registered client domain, stripped of the subdomain. -For example, the registered domain for "foo.example.com" is "example.com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +Content when writing string types. +Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). type: keyword -example: example.com +example: ["C:\rta\red_ttp\bin\myapp.exe"] -- -*`client.subdomain`*:: +*`registry.data.type`*:: + -- -The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. -For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. +Standard registry type for encoding contents type: keyword -example: east +example: REG_SZ -- -*`client.top_level_domain`*:: +*`registry.hive`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +Abbreviated name for the hive. type: keyword -example: co.uk +example: HKLM -- -*`client.user.domain`*:: +*`registry.key`*:: + -- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. +Hive-relative path of keys. type: keyword +example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + -- -*`client.user.email`*:: +*`registry.path`*:: + -- -User email address. +Full path, including hive, key and value type: keyword +example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger + -- -*`client.user.full_name`*:: +*`registry.value`*:: + -- -User's full name, if available. +Name of the value written. type: keyword -example: Albert Einstein +example: Debugger -- -*`client.user.full_name.text`*:: -+ --- -type: text +[float] +=== related --- +This field set is meant to facilitate pivoting around a piece of data. +Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. +A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`. -*`client.user.group.domain`*:: + +*`related.hash`*:: + -- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. +All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). type: keyword -- -*`client.user.group.id`*:: +*`related.hosts`*:: + -- -Unique identifier for the group on the system/platform. +All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. type: keyword -- -*`client.user.group.name`*:: +*`related.ip`*:: + -- -Name of the group. - -type: keyword - --- - -*`client.user.hash`*:: -+ --- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. - -type: keyword - --- - -*`client.user.id`*:: -+ --- -Unique identifier of the user. - -type: keyword - --- - -*`client.user.name`*:: -+ --- -Short name or login of the user. - -type: keyword - -example: albert - --- +All of the IPs seen on your event. -*`client.user.name.text`*:: -+ --- -type: text +type: ip -- -*`client.user.roles`*:: +*`related.user`*:: + -- -Array of user roles at the time of the event. +All the user names or other user identifiers seen on the event. type: keyword -example: ["kibana_admin", "reporting_user"] - -- [float] -=== cloud - -Fields related to the cloud or infrastructure the events are coming from. - - -*`cloud.account.id`*:: -+ --- -The cloud account or organization id used to identify different entities in a multi-tenant environment. -Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - -type: keyword - -example: 666777888999 - --- - -*`cloud.account.name`*:: -+ --- -The cloud account name or alias used to identify different entities in a multi-tenant environment. -Examples: AWS account name, Google Cloud ORG display name. - -type: keyword - -example: elastic-dev - --- - -*`cloud.availability_zone`*:: -+ --- -Availability zone in which this host, resource, or service is located. - -type: keyword - -example: us-east-1c - --- - -*`cloud.instance.id`*:: -+ --- -Instance ID of the host machine. - -type: keyword - -example: i-1234567890abcdef0 - --- - -*`cloud.instance.name`*:: -+ --- -Instance name of the host machine. - -type: keyword - --- - -*`cloud.machine.type`*:: -+ --- -Machine type of the host machine. - -type: keyword - -example: t2.medium - --- - -*`cloud.project.id`*:: -+ --- -The cloud project identifier. -Examples: Google Cloud Project id, Azure Project id. - -type: keyword - -example: my-project - --- - -*`cloud.project.name`*:: -+ --- -The cloud project name. -Examples: Google Cloud Project name, Azure Project name. - -type: keyword +=== rule -example: my project +Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events. +Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc. --- -*`cloud.provider`*:: +*`rule.author`*:: + -- -Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. +Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. type: keyword -example: aws +example: ["Star-Lord"] -- -*`cloud.region`*:: +*`rule.category`*:: + -- -Region in which this host, resource, or service is located. +A categorization value keyword used by the entity using the rule for detection of this event. type: keyword -example: us-east-1 +example: Attempted Information Leak -- -*`cloud.service.name`*:: +*`rule.description`*:: + -- -The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. -Examples: app engine, app service, cloud run, fargate, lambda. +The description of the rule generating the event. type: keyword -example: lambda - --- - -[float] -=== code_signature - -These fields contain information about binary code signatures. - - -*`code_signature.exists`*:: -+ --- -Boolean to capture if a signature is present. - -type: boolean - -example: true +example: Block requests to public DNS over HTTPS / TLS protocols -- -*`code_signature.signing_id`*:: +*`rule.id`*:: + -- -The identifier used to sign the process. -This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. +A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. type: keyword -example: com.apple.xpc.proxy +example: 101 -- -*`code_signature.status`*:: +*`rule.license`*:: + -- -Additional information about the certificate status. -This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. +Name of the license under which the rule used to generate this event is made available. type: keyword -example: ERROR_UNTRUSTED_ROOT +example: Apache 2.0 -- -*`code_signature.subject_name`*:: +*`rule.name`*:: + -- -Subject name of the code signer +The name of the rule or signature generating the event. type: keyword -example: Microsoft Corporation +example: BLOCK_DNS_over_TLS -- -*`code_signature.team_id`*:: +*`rule.reference`*:: + -- -The team identifier used to sign the process. -This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. +Reference URL to additional information about the rule used to generate this event. +The URL can point to the vendor's documentation about the rule. If that's not available, it can also be a link to a more general page describing this type of alert. type: keyword -example: EQHXZ8M8AV - --- - -*`code_signature.trusted`*:: -+ --- -Stores the trust status of the certificate chain. -Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. - -type: boolean - -example: true - --- - -*`code_signature.valid`*:: -+ --- -Boolean to capture if the digital signature is verified against the binary content. -Leave unpopulated if a certificate was unchecked. - -type: boolean - -example: true +example: https://en.wikipedia.org/wiki/DNS_over_TLS -- -[float] -=== container - -Container fields are used for meta information about the specific container that is the source of information. -These fields help correlate data based containers from any runtime. - - -*`container.id`*:: +*`rule.ruleset`*:: + -- -Unique container id. +Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. type: keyword --- - -*`container.image.name`*:: -+ --- -Name of the image the container was built on. - -type: keyword +example: Standard_Protocol_Filters -- -*`container.image.tag`*:: +*`rule.uuid`*:: + -- -Container image tags. +A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. type: keyword --- - -*`container.labels`*:: -+ --- -Image labels. - -type: object - --- - -*`container.name`*:: -+ --- -Container name. - -type: keyword +example: 1100110011 -- -*`container.runtime`*:: +*`rule.version`*:: + -- -Runtime managing this container. +The version / revision of the rule being used for analysis. type: keyword -example: docker - --- - -[float] -=== data_stream - -The data_stream fields take part in defining the new data stream naming scheme. -In the new data stream naming scheme the value of the data stream fields combine to the name of the actual data stream in the following manner: `{data_stream.type}-{data_stream.dataset}-{data_stream.namespace}`. This means the fields can only contain characters that are valid as part of names of data streams. More details about this can be found in this https://www.elastic.co/blog/an-introduction-to-the-elastic-data-stream-naming-scheme[blog post]. -An Elasticsearch data stream consists of one or more backing indices, and a data stream name forms part of the backing indices names. Due to this convention, data streams must also follow index naming restrictions. For example, data stream names cannot include `\`, `/`, `*`, `?`, `"`, `<`, `>`, `|`, ` ` (space character), `,`, or `#`. Please see the Elasticsearch reference for additional https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-create-index.html#indices-create-api-path-params[restrictions]. - - -*`data_stream.dataset`*:: -+ --- -The field can contain anything that makes sense to signify the source of the data. -Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. -Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: - * Must not contain `-` - * No longer than 100 characters - -type: constant_keyword - -example: nginx.access - --- - -*`data_stream.namespace`*:: -+ --- -A user defined namespace. Namespaces are useful to allow grouping of data. -Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. -Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: - * Must not contain `-` - * No longer than 100 characters - -type: constant_keyword - -example: production - --- - -*`data_stream.type`*:: -+ --- -An overarching type for the data stream. -Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. - -type: constant_keyword - -example: logs +example: 1.1 -- [float] -=== destination +=== server -Destination fields capture details about the receiver of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. -Destination fields are usually populated in conjunction with source fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated. +A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records. +For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events. +Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. -*`destination.address`*:: +*`server.address`*:: + -- -Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. +Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. type: keyword -- -*`destination.as.number`*:: +*`server.as.number`*:: + -- Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. @@ -41228,7 +42254,7 @@ example: 15169 -- -*`destination.as.organization.name`*:: +*`server.as.organization.name`*:: + -- Organization name. @@ -41239,17 +42265,17 @@ example: Google LLC -- -*`destination.as.organization.name.text`*:: +*`server.as.organization.name.text`*:: + -- type: text -- -*`destination.bytes`*:: +*`server.bytes`*:: + -- -Bytes sent from the destination to the source. +Bytes sent from the server to the client. type: long @@ -41259,16 +42285,16 @@ format: bytes -- -*`destination.domain`*:: +*`server.domain`*:: + -- -Destination domain. +Server domain. type: keyword -- -*`destination.geo.city_name`*:: +*`server.geo.city_name`*:: + -- City name. @@ -41279,7 +42305,7 @@ example: Montreal -- -*`destination.geo.continent_code`*:: +*`server.geo.continent_code`*:: + -- Two-letter code representing continent's name. @@ -41290,7 +42316,7 @@ example: NA -- -*`destination.geo.continent_name`*:: +*`server.geo.continent_name`*:: + -- Name of the continent. @@ -41301,7 +42327,7 @@ example: North America -- -*`destination.geo.country_iso_code`*:: +*`server.geo.country_iso_code`*:: + -- Country ISO code. @@ -41312,7 +42338,7 @@ example: CA -- -*`destination.geo.country_name`*:: +*`server.geo.country_name`*:: + -- Country name. @@ -41323,7 +42349,7 @@ example: Canada -- -*`destination.geo.location`*:: +*`server.geo.location`*:: + -- Longitude and latitude. @@ -41334,7 +42360,7 @@ example: { "lon": -73.614830, "lat": 45.505918 } -- -*`destination.geo.name`*:: +*`server.geo.name`*:: + -- User-defined description of a location, at the level of granularity they care about. @@ -41347,7 +42373,7 @@ example: boston-dc -- -*`destination.geo.postal_code`*:: +*`server.geo.postal_code`*:: + -- Postal code associated with the location. @@ -41359,7 +42385,7 @@ example: 94040 -- -*`destination.geo.region_iso_code`*:: +*`server.geo.region_iso_code`*:: + -- Region ISO code. @@ -41370,7 +42396,7 @@ example: CA-QC -- -*`destination.geo.region_name`*:: +*`server.geo.region_name`*:: + -- Region name. @@ -41381,7 +42407,7 @@ example: Quebec -- -*`destination.geo.timezone`*:: +*`server.geo.timezone`*:: + -- The time zone of the location, such as IANA time zone name. @@ -41392,19 +42418,19 @@ example: America/Argentina/Buenos_Aires -- -*`destination.ip`*:: +*`server.ip`*:: + -- -IP address of the destination (IPv4 or IPv6). +IP address of the server (IPv4 or IPv6). type: ip -- -*`destination.mac`*:: +*`server.mac`*:: + -- -MAC address of the destination. +MAC address of the server. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. type: keyword @@ -41413,7 +42439,7 @@ example: 00-00-5E-00-53-23 -- -*`destination.nat.ip`*:: +*`server.nat.ip`*:: + -- Translated ip of destination based NAT sessions (e.g. internet to private DMZ) @@ -41423,10 +42449,10 @@ type: ip -- -*`destination.nat.port`*:: +*`server.nat.port`*:: + -- -Port the source session is translated to by NAT Device. +Translated port of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. type: long @@ -41435,10 +42461,10 @@ format: string -- -*`destination.packets`*:: +*`server.packets`*:: + -- -Packets sent from the destination to the source. +Packets sent from the server to the client. type: long @@ -41446,10 +42472,10 @@ example: 12 -- -*`destination.port`*:: +*`server.port`*:: + -- -Port of the destination. +Port of the server. type: long @@ -41457,10 +42483,10 @@ format: string -- -*`destination.registered_domain`*:: +*`server.registered_domain`*:: + -- -The highest registered destination domain, stripped of the subdomain. +The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". @@ -41470,7 +42496,7 @@ example: example.com -- -*`destination.subdomain`*:: +*`server.subdomain`*:: + -- The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. @@ -41482,7 +42508,7 @@ example: east -- -*`destination.top_level_domain`*:: +*`server.top_level_domain`*:: + -- The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". @@ -41494,7 +42520,7 @@ example: co.uk -- -*`destination.user.domain`*:: +*`server.user.domain`*:: + -- Name of the directory the user is a member of. @@ -41504,7 +42530,7 @@ type: keyword -- -*`destination.user.email`*:: +*`server.user.email`*:: + -- User email address. @@ -41513,7 +42539,7 @@ type: keyword -- -*`destination.user.full_name`*:: +*`server.user.full_name`*:: + -- User's full name, if available. @@ -41524,14 +42550,14 @@ example: Albert Einstein -- -*`destination.user.full_name.text`*:: +*`server.user.full_name.text`*:: + -- type: text -- -*`destination.user.group.domain`*:: +*`server.user.group.domain`*:: + -- Name of the directory the group is a member of. @@ -41541,7 +42567,7 @@ type: keyword -- -*`destination.user.group.id`*:: +*`server.user.group.id`*:: + -- Unique identifier for the group on the system/platform. @@ -41550,7 +42576,7 @@ type: keyword -- -*`destination.user.group.name`*:: +*`server.user.group.name`*:: + -- Name of the group. @@ -41559,7 +42585,7 @@ type: keyword -- -*`destination.user.hash`*:: +*`server.user.hash`*:: + -- Unique user hash to correlate information for a user in anonymized form. @@ -41569,7 +42595,7 @@ type: keyword -- -*`destination.user.id`*:: +*`server.user.id`*:: + -- Unique identifier of the user. @@ -41578,7 +42604,7 @@ type: keyword -- -*`destination.user.name`*:: +*`server.user.name`*:: + -- Short name or login of the user. @@ -41589,14 +42615,14 @@ example: albert -- -*`destination.user.name.text`*:: +*`server.user.name.text`*:: + -- type: text -- -*`destination.user.roles`*:: +*`server.user.roles`*:: + -- Array of user roles at the time of the event. @@ -41608,380 +42634,358 @@ example: ["kibana_admin", "reporting_user"] -- [float] -=== dll - -These fields contain information about code libraries dynamically loaded into processes. +=== service -Many operating systems refer to "shared code libraries" with different names, but this field set refers to all of the following: -* Dynamic-link library (`.dll`) commonly used on Windows -* Shared Object (`.so`) commonly used on Unix-like operating systems -* Dynamic library (`.dylib`) commonly used on macOS +The service fields describe the service for or from which the data was collected. +These fields help you find and correlate logs for a specific service and version. -*`dll.code_signature.exists`*:: +*`service.ephemeral_id`*:: + -- -Boolean to capture if a signature is present. +Ephemeral identifier of this service (if one exists). +This id normally changes across restarts, but `service.id` does not. -type: boolean +type: keyword -example: true +example: 8a4f500f -- -*`dll.code_signature.signing_id`*:: +*`service.id`*:: + -- -The identifier used to sign the process. -This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. +Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. +This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. +Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. type: keyword -example: com.apple.xpc.proxy +example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6 -- -*`dll.code_signature.status`*:: +*`service.name`*:: + -- -Additional information about the certificate status. -This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. +Name of the service data is collected from. +The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. +In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. type: keyword -example: ERROR_UNTRUSTED_ROOT +example: elasticsearch-metrics -- -*`dll.code_signature.subject_name`*:: +*`service.node.name`*:: + -- -Subject name of the code signer +Name of a service node. +This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. +In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. type: keyword -example: Microsoft Corporation +example: instance-0000000016 -- -*`dll.code_signature.team_id`*:: +*`service.state`*:: + -- -The team identifier used to sign the process. -This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. +Current state of the service. type: keyword -example: EQHXZ8M8AV - -- -*`dll.code_signature.trusted`*:: +*`service.type`*:: + -- -Stores the trust status of the certificate chain. -Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. +The type of the service data is collected from. +The type can be used to group and correlate logs and metrics from one service type. +Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. -type: boolean +type: keyword -example: true +example: elasticsearch -- -*`dll.code_signature.valid`*:: +*`service.version`*:: + -- -Boolean to capture if the digital signature is verified against the binary content. -Leave unpopulated if a certificate was unchecked. +Version of the service the data was collected from. +This allows to look at a data set only for a specific version of a service. -type: boolean +type: keyword -example: true +example: 3.2.4 -- -*`dll.hash.md5`*:: -+ --- -MD5 hash. +[float] +=== source -type: keyword +Source fields capture details about the sender of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. +Source fields are usually populated in conjunction with destination fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated. --- -*`dll.hash.sha1`*:: +*`source.address`*:: + -- -SHA1 hash. +Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. +Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. type: keyword -- -*`dll.hash.sha256`*:: +*`source.as.number`*:: + -- -SHA256 hash. +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. -type: keyword +type: long + +example: 15169 -- -*`dll.hash.sha512`*:: +*`source.as.organization.name`*:: + -- -SHA512 hash. +Organization name. type: keyword +example: Google LLC + -- -*`dll.hash.ssdeep`*:: +*`source.as.organization.name.text`*:: + -- -SSDEEP hash. - -type: keyword +type: text -- -*`dll.name`*:: +*`source.bytes`*:: + -- -Name of the library. -This generally maps to the name of the file on disk. +Bytes sent from the source to the destination. -type: keyword +type: long -example: kernel32.dll +example: 184 + +format: bytes -- -*`dll.path`*:: +*`source.domain`*:: + -- -Full file path of the library. +Source domain. type: keyword -example: C:\Windows\System32\kernel32.dll - -- -*`dll.pe.architecture`*:: +*`source.geo.city_name`*:: + -- -CPU architecture target for the file. +City name. type: keyword -example: x64 +example: Montreal -- -*`dll.pe.company`*:: +*`source.geo.continent_code`*:: + -- -Internal company name of the file, provided at compile-time. +Two-letter code representing continent's name. type: keyword -example: Microsoft Corporation +example: NA -- -*`dll.pe.description`*:: +*`source.geo.continent_name`*:: + -- -Internal description of the file, provided at compile-time. +Name of the continent. type: keyword -example: Paint +example: North America -- -*`dll.pe.file_version`*:: +*`source.geo.country_iso_code`*:: + -- -Internal version of the file, provided at compile-time. +Country ISO code. type: keyword -example: 6.3.9600.17415 +example: CA -- -*`dll.pe.imphash`*:: +*`source.geo.country_name`*:: + -- -A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. -Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. +Country name. type: keyword -example: 0c6803c4e922103c4dca5963aad36ddf +example: Canada -- -*`dll.pe.original_file_name`*:: +*`source.geo.location`*:: + -- -Internal name of the file, provided at compile-time. +Longitude and latitude. -type: keyword +type: geo_point -example: MSPAINT.EXE +example: { "lon": -73.614830, "lat": 45.505918 } -- -*`dll.pe.product`*:: +*`source.geo.name`*:: + -- -Internal product name of the file, provided at compile-time. +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. type: keyword -example: Microsoft® Windows® Operating System - --- - -[float] -=== dns - -Fields describing DNS queries and answers. -DNS events should either represent a single DNS query prior to getting answers (`dns.type:query`) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (`dns.type:answer`). - - -*`dns.answers`*:: -+ --- -An array containing an object for each answer section returned by the server. -The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. -Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. - -type: object +example: boston-dc -- -*`dns.answers.class`*:: +*`source.geo.postal_code`*:: + -- -The class of DNS data contained in this resource record. +Postal code associated with the location. +Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. type: keyword -example: IN +example: 94040 -- -*`dns.answers.data`*:: +*`source.geo.region_iso_code`*:: + -- -The data describing the resource. -The meaning of this data depends on the type and class of the resource record. +Region ISO code. type: keyword -example: 10.10.10.10 +example: CA-QC -- -*`dns.answers.name`*:: +*`source.geo.region_name`*:: + -- -The domain name to which this resource record pertains. -If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. +Region name. type: keyword -example: www.example.com +example: Quebec -- -*`dns.answers.ttl`*:: +*`source.geo.timezone`*:: + -- -The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. +The time zone of the location, such as IANA time zone name. -type: long +type: keyword -example: 180 +example: America/Argentina/Buenos_Aires -- -*`dns.answers.type`*:: +*`source.ip`*:: + -- -The type of data contained in this resource record. - -type: keyword +IP address of the source (IPv4 or IPv6). -example: CNAME +type: ip -- -*`dns.header_flags`*:: +*`source.mac`*:: + -- -Array of 2 letter DNS header flags. -Expected values are: AA, TC, RD, RA, AD, CD, DO. +MAC address of the source. +The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. type: keyword -example: ["RD", "RA"] +example: 00-00-5E-00-53-23 -- -*`dns.id`*:: +*`source.nat.ip`*:: + -- -The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. - -type: keyword +Translated ip of source based NAT sessions (e.g. internal client to internet) +Typically connections traversing load balancers, firewalls, or routers. -example: 62111 +type: ip -- -*`dns.op_code`*:: +*`source.nat.port`*:: + -- -The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. +Translated port of source based NAT sessions. (e.g. internal client to internet) +Typically used with load balancers, firewalls, or routers. -type: keyword +type: long -example: QUERY +format: string -- -*`dns.question.class`*:: +*`source.packets`*:: + -- -The class of records being queried. +Packets sent from the source to the destination. -type: keyword +type: long -example: IN +example: 12 -- -*`dns.question.name`*:: +*`source.port`*:: + -- -The name being queried. -If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. +Port of the source. -type: keyword +type: long -example: www.example.com +format: string -- -*`dns.question.registered_domain`*:: +*`source.registered_domain`*:: + -- -The highest registered domain, stripped of the subdomain. +The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". @@ -41991,19 +42995,19 @@ example: example.com -- -*`dns.question.subdomain`*:: +*`source.subdomain`*:: + -- -The subdomain is all of the labels under the registered_domain. -If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. +The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. +For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. type: keyword -example: www +example: east -- -*`dns.question.top_level_domain`*:: +*`source.top_level_domain`*:: + -- The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". @@ -42015,1480 +43019,1457 @@ example: co.uk -- -*`dns.question.type`*:: +*`source.user.domain`*:: + -- -The type of record being queried. +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. type: keyword -example: AAAA - -- -*`dns.resolved_ip`*:: +*`source.user.email`*:: + -- -Array containing all IPs seen in `answers.data`. -The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. - -type: ip +User email address. -example: ["10.10.10.10", "10.10.10.11"] +type: keyword -- -*`dns.response_code`*:: +*`source.user.full_name`*:: + -- -The DNS response code. +User's full name, if available. type: keyword -example: NOERROR +example: Albert Einstein -- -*`dns.type`*:: +*`source.user.full_name.text`*:: + -- -The type of DNS event captured, query or answer. -If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. -If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. - -type: keyword - -example: answer +type: text -- -[float] -=== ecs - -Meta-information specific to ECS. - - -*`ecs.version`*:: +*`source.user.group.domain`*:: + -- -ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. -When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. type: keyword -example: 1.0.0 - -required: True - -- -[float] -=== elf +*`source.user.group.id`*:: ++ +-- +Unique identifier for the group on the system/platform. -These fields contain Linux Executable Linkable Format (ELF) metadata. +type: keyword +-- -*`elf.architecture`*:: +*`source.user.group.name`*:: + -- -Machine architecture of the ELF file. +Name of the group. type: keyword -example: x86-64 - -- -*`elf.byte_order`*:: +*`source.user.hash`*:: + -- -Byte sequence of ELF file. +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. type: keyword -example: Little Endian - -- -*`elf.cpu_type`*:: +*`source.user.id`*:: + -- -CPU type of the ELF file. +Unique identifier of the user. type: keyword -example: Intel - -- -*`elf.creation_date`*:: +*`source.user.name`*:: + -- -Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. +Short name or login of the user. -type: date +type: keyword + +example: albert -- -*`elf.exports`*:: +*`source.user.name.text`*:: + -- -List of exported element names and types. - -type: flattened +type: text -- -*`elf.header.abi_version`*:: +*`source.user.roles`*:: + -- -Version of the ELF Application Binary Interface (ABI). +Array of user roles at the time of the event. type: keyword +example: ["kibana_admin", "reporting_user"] + -- -*`elf.header.class`*:: +[float] +=== threat + +Fields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework. +These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service"). + + +*`threat.enrichments`*:: + -- -Header class of the ELF file. +A list of associated indicators objects enriching the event, and the context of that association/enrichment. -type: keyword +type: nested -- -*`elf.header.data`*:: +*`threat.enrichments.indicator`*:: + -- -Data table of the ELF header. +Object containing associated indicators enriching the event. -type: keyword +type: object -- -*`elf.header.entrypoint`*:: +*`threat.enrichments.indicator.as.number`*:: + -- -Header entrypoint of the ELF file. +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. type: long -format: string +example: 15169 -- -*`elf.header.object_version`*:: +*`threat.enrichments.indicator.as.organization.name`*:: + -- -"0x1" for original ELF files. +Organization name. type: keyword +example: Google LLC + -- -*`elf.header.os_abi`*:: +*`threat.enrichments.indicator.as.organization.name.text`*:: + -- -Application Binary Interface (ABI) of the Linux OS. - -type: keyword +type: text -- -*`elf.header.type`*:: +*`threat.enrichments.indicator.confidence`*:: + -- -Header type of the ELF file. +Identifies the confidence rating assigned by the provider using STIX confidence scales. Expected values: + * Not Specified, None, Low, Medium, High + * 0-10 + * Admirality Scale (1-6) + * DNI Scale (5-95) + * WEP Scale (Impossible - Certain) type: keyword +example: High + -- -*`elf.header.version`*:: +*`threat.enrichments.indicator.description`*:: + -- -Version of the ELF header. +Describes the type of action conducted by the threat. type: keyword +example: IP x.x.x.x was observed delivering the Angler EK. + -- -*`elf.imports`*:: +*`threat.enrichments.indicator.email.address`*:: + -- -List of imported element names and types. +Identifies a threat indicator as an email address (irrespective of direction). -type: flattened +type: keyword + +example: phish@example.com -- -*`elf.sections`*:: +*`threat.enrichments.indicator.file.accessed`*:: + -- -An array containing an object for each section of the ELF file. -The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`. +Last time the file was accessed. +Note that not all filesystems keep track of access time. -type: nested +type: date -- -*`elf.sections.chi2`*:: +*`threat.enrichments.indicator.file.attributes`*:: + -- -Chi-square probability distribution of the section. +Array of file attributes. +Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. -type: long +type: keyword -format: number +example: ["readonly", "system"] -- -*`elf.sections.entropy`*:: +*`threat.enrichments.indicator.file.code_signature.exists`*:: + -- -Shannon entropy calculation from the section. +Boolean to capture if a signature is present. -type: long +type: boolean -format: number +example: true -- -*`elf.sections.flags`*:: +*`threat.enrichments.indicator.file.code_signature.signing_id`*:: + -- -ELF Section List flags. +The identifier used to sign the process. +This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. type: keyword +example: com.apple.xpc.proxy + -- -*`elf.sections.name`*:: +*`threat.enrichments.indicator.file.code_signature.status`*:: + -- -ELF Section List name. +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. type: keyword +example: ERROR_UNTRUSTED_ROOT + -- -*`elf.sections.physical_offset`*:: +*`threat.enrichments.indicator.file.code_signature.subject_name`*:: + -- -ELF Section List offset. +Subject name of the code signer type: keyword +example: Microsoft Corporation + -- -*`elf.sections.physical_size`*:: +*`threat.enrichments.indicator.file.code_signature.team_id`*:: + -- -ELF Section List physical size. +The team identifier used to sign the process. +This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. -type: long +type: keyword -format: bytes +example: EQHXZ8M8AV -- -*`elf.sections.type`*:: +*`threat.enrichments.indicator.file.code_signature.trusted`*:: + -- -ELF Section List type. +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. -type: keyword +type: boolean + +example: true -- -*`elf.sections.virtual_address`*:: +*`threat.enrichments.indicator.file.code_signature.valid`*:: + -- -ELF Section List virtual address. +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. -type: long +type: boolean -format: string +example: true -- -*`elf.sections.virtual_size`*:: +*`threat.enrichments.indicator.file.created`*:: + -- -ELF Section List virtual size. - -type: long +File creation time. +Note that not all filesystems store the creation time. -format: string +type: date -- -*`elf.segments`*:: +*`threat.enrichments.indicator.file.ctime`*:: + -- -An array containing an object for each segment of the ELF file. -The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`. +Last time the file attributes or metadata changed. +Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. -type: nested +type: date -- -*`elf.segments.sections`*:: +*`threat.enrichments.indicator.file.device`*:: + -- -ELF object segment sections. +Device that is the source of the file. type: keyword +example: sda + -- -*`elf.segments.type`*:: +*`threat.enrichments.indicator.file.directory`*:: + -- -ELF object segment type. +Directory where the file is located. It should include the drive letter, when appropriate. type: keyword +example: /home/alice + -- -*`elf.shared_libraries`*:: +*`threat.enrichments.indicator.file.drive_letter`*:: + -- -List of shared libraries used by this ELF object. +Drive letter where the file is located. This field is only relevant on Windows. +The value should be uppercase, and not include the colon. type: keyword +example: C + -- -*`elf.telfhash`*:: +*`threat.enrichments.indicator.file.elf.architecture`*:: + -- -telfhash symbol hash for ELF file. +Machine architecture of the ELF file. type: keyword --- - -[float] -=== error - -These fields can represent errors of any kind. -Use them for errors that happen while fetching events or in cases where the event itself contains an error. +example: x86-64 +-- -*`error.code`*:: +*`threat.enrichments.indicator.file.elf.byte_order`*:: + -- -Error code describing the error. +Byte sequence of ELF file. type: keyword +example: Little Endian + -- -*`error.id`*:: +*`threat.enrichments.indicator.file.elf.cpu_type`*:: + -- -Unique identifier for the error. +CPU type of the ELF file. type: keyword +example: Intel + -- -*`error.message`*:: +*`threat.enrichments.indicator.file.elf.creation_date`*:: + -- -Error message. +Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. -type: text +type: date -- -*`error.stack_trace`*:: +*`threat.enrichments.indicator.file.elf.exports`*:: + -- -The stack trace of this error in plain text. - -type: keyword +List of exported element names and types. -Field is not indexed. +type: flattened -- -*`error.stack_trace.text`*:: +*`threat.enrichments.indicator.file.elf.header.abi_version`*:: + -- -type: text +Version of the ELF Application Binary Interface (ABI). + +type: keyword -- -*`error.type`*:: +*`threat.enrichments.indicator.file.elf.header.class`*:: + -- -The type of the error, for example the class name of the exception. +Header class of the ELF file. type: keyword -example: java.lang.NullPointerException - -- -[float] -=== event +*`threat.enrichments.indicator.file.elf.header.data`*:: ++ +-- +Data table of the ELF header. -The event fields are used for context information about the log or metric event itself. -A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events. +type: keyword +-- -*`event.action`*:: +*`threat.enrichments.indicator.file.elf.header.entrypoint`*:: + -- -The action captured by the event. -This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. +Header entrypoint of the ELF file. -type: keyword +type: long -example: user-password-change +format: string -- -*`event.agent_id_status`*:: +*`threat.enrichments.indicator.file.elf.header.object_version`*:: + -- -Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. -For example if the agent's connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used. -If no validation is performed then the field should be omitted. -The allowed values are: -`verified` - The `agent.id` field value matches expected value obtained from auth metadata. -`mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata. -`missing` - There was no `agent.id` field in the event to validate. -`auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID. +"0x1" for original ELF files. type: keyword -example: verified - -- -*`event.category`*:: +*`threat.enrichments.indicator.file.elf.header.os_abi`*:: + -- -This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. -`event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. -This field is an array. This will allow proper categorization of some events that fall in multiple categories. +Application Binary Interface (ABI) of the Linux OS. type: keyword -example: authentication - -- -*`event.code`*:: +*`threat.enrichments.indicator.file.elf.header.type`*:: + -- -Identification code for this event, if one exists. -Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. +Header type of the ELF file. type: keyword -example: 4648 - -- -*`event.created`*:: +*`threat.enrichments.indicator.file.elf.header.version`*:: + -- -event.created contains the date/time when the event was first read by an agent, or by your pipeline. -This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. -In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. -In case the two timestamps are identical, @timestamp should be used. - -type: date +Version of the ELF header. -example: 2016-05-23T08:05:34.857Z +type: keyword -- -*`event.dataset`*:: +*`threat.enrichments.indicator.file.elf.imports`*:: + -- -Name of the dataset. -If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. -It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. +List of imported element names and types. -type: keyword +type: flattened -example: apache.access +-- +*`threat.enrichments.indicator.file.elf.sections`*:: ++ -- +An array containing an object for each section of the ELF file. +The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`. -*`event.duration`*:: +type: nested + +-- + +*`threat.enrichments.indicator.file.elf.sections.chi2`*:: + -- -Duration of the event in nanoseconds. -If event.start and event.end are known this value should be the difference between the end and start time. +Chi-square probability distribution of the section. type: long -format: duration +format: number -- -*`event.end`*:: +*`threat.enrichments.indicator.file.elf.sections.entropy`*:: + -- -event.end contains the date when the event ended or when the activity was last observed. +Shannon entropy calculation from the section. -type: date +type: long + +format: number -- -*`event.hash`*:: +*`threat.enrichments.indicator.file.elf.sections.flags`*:: + -- -Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. +ELF Section List flags. type: keyword -example: 123456789012345678901234567890ABCD - -- -*`event.id`*:: +*`threat.enrichments.indicator.file.elf.sections.name`*:: + -- -Unique ID to describe the event. +ELF Section List name. type: keyword -example: 8a4f500d - -- -*`event.ingested`*:: +*`threat.enrichments.indicator.file.elf.sections.physical_offset`*:: + -- -Timestamp when an event arrived in the central data store. -This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. -In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - -type: date +ELF Section List offset. -example: 2016-05-23T08:05:35.101Z +type: keyword -- -*`event.kind`*:: +*`threat.enrichments.indicator.file.elf.sections.physical_size`*:: + -- -This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. -`event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. -The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. +ELF Section List physical size. -type: keyword +type: long -example: alert +format: bytes -- -*`event.module`*:: +*`threat.enrichments.indicator.file.elf.sections.type`*:: + -- -Name of the module this data is coming from. -If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. +ELF Section List type. type: keyword -example: apache - -- -*`event.original`*:: +*`threat.enrichments.indicator.file.elf.sections.virtual_address`*:: + -- -Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. -This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - -type: keyword +ELF Section List virtual address. -example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 +type: long -Field is not indexed. +format: string -- -*`event.outcome`*:: +*`threat.enrichments.indicator.file.elf.sections.virtual_size`*:: + -- -This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. -`event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. -Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. -Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. -Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. +ELF Section List virtual size. -type: keyword +type: long -example: success +format: string -- -*`event.provider`*:: +*`threat.enrichments.indicator.file.elf.segments`*:: + -- -Source of the event. -Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). - -type: keyword +An array containing an object for each segment of the ELF file. +The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`. -example: kernel +type: nested -- -*`event.reason`*:: +*`threat.enrichments.indicator.file.elf.segments.sections`*:: + -- -Reason why this event happened, according to the source. -This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). +ELF object segment sections. type: keyword -example: Terminated an unexpected process - -- -*`event.reference`*:: +*`threat.enrichments.indicator.file.elf.segments.type`*:: + -- -Reference URL linking to additional information about this event. -This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. +ELF object segment type. type: keyword -example: https://system.example.com/event/#0001234 - -- -*`event.risk_score`*:: +*`threat.enrichments.indicator.file.elf.shared_libraries`*:: + -- -Risk score or priority of the event (e.g. security solutions). Use your system's original value here. +List of shared libraries used by this ELF object. -type: float +type: keyword -- -*`event.risk_score_norm`*:: +*`threat.enrichments.indicator.file.elf.telfhash`*:: + -- -Normalized risk score or priority of the event, on a scale of 0 to 100. -This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. +telfhash symbol hash for ELF file. -type: float +type: keyword -- -*`event.sequence`*:: +*`threat.enrichments.indicator.file.extension`*:: + -- -Sequence number of the event. -The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. +File extension, excluding the leading dot. +Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). -type: long +type: keyword -format: string +example: png -- -*`event.severity`*:: +*`threat.enrichments.indicator.file.gid`*:: + -- -The numeric severity of the event according to your event source. -What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. -The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. - -type: long +Primary group ID (GID) of the file. -example: 7 +type: keyword -format: string +example: 1001 -- -*`event.start`*:: +*`threat.enrichments.indicator.file.group`*:: + -- -event.start contains the date when the event started or when the activity was first observed. +Primary group name of the file. -type: date +type: keyword + +example: alice -- -*`event.timezone`*:: +*`threat.enrichments.indicator.file.inode`*:: + -- -This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. -Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). +Inode representing the file in the filesystem. type: keyword +example: 256383 + -- -*`event.type`*:: +*`threat.enrichments.indicator.file.mime_type`*:: + -- -This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. -`event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. -This field is an array. This will allow proper categorization of some events that fall in multiple event types. +MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. type: keyword -- -*`event.url`*:: +*`threat.enrichments.indicator.file.mode`*:: + -- -URL linking to an external system to continue investigation of this event. -This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. +Mode of the file in octal representation. type: keyword -example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe +example: 0640 -- -[float] -=== file - -A file is defined as a set of information that has been created on, or has existed on a filesystem. -File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric. - - -*`file.accessed`*:: +*`threat.enrichments.indicator.file.mtime`*:: + -- -Last time the file was accessed. -Note that not all filesystems keep track of access time. +Last time the file content was modified. type: date -- -*`file.attributes`*:: +*`threat.enrichments.indicator.file.name`*:: + -- -Array of file attributes. -Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. +Name of the file including the extension, without the directory. type: keyword -example: ["readonly", "system"] +example: example.png -- -*`file.code_signature.exists`*:: +*`threat.enrichments.indicator.file.owner`*:: + -- -Boolean to capture if a signature is present. +File owner's username. -type: boolean +type: keyword -example: true +example: alice -- -*`file.code_signature.signing_id`*:: +*`threat.enrichments.indicator.file.path`*:: + -- -The identifier used to sign the process. -This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. +Full path to the file, including the file name. It should include the drive letter, when appropriate. type: keyword -example: com.apple.xpc.proxy +example: /home/alice/example.png -- -*`file.code_signature.status`*:: +*`threat.enrichments.indicator.file.path.text`*:: + -- -Additional information about the certificate status. -This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. - -type: keyword - -example: ERROR_UNTRUSTED_ROOT +type: text -- -*`file.code_signature.subject_name`*:: +*`threat.enrichments.indicator.file.size`*:: + -- -Subject name of the code signer +File size in bytes. +Only relevant when `file.type` is "file". -type: keyword +type: long -example: Microsoft Corporation +example: 16384 -- -*`file.code_signature.team_id`*:: +*`threat.enrichments.indicator.file.target_path`*:: + -- -The team identifier used to sign the process. -This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. +Target path for symlinks. type: keyword -example: EQHXZ8M8AV - -- -*`file.code_signature.trusted`*:: +*`threat.enrichments.indicator.file.target_path.text`*:: + -- -Stores the trust status of the certificate chain. -Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. - -type: boolean - -example: true +type: text -- -*`file.code_signature.valid`*:: +*`threat.enrichments.indicator.file.type`*:: + -- -Boolean to capture if the digital signature is verified against the binary content. -Leave unpopulated if a certificate was unchecked. +File type (file, dir, or symlink). -type: boolean +type: keyword -example: true +example: file -- -*`file.created`*:: +*`threat.enrichments.indicator.file.uid`*:: + -- -File creation time. -Note that not all filesystems store the creation time. +The user ID (UID) or security identifier (SID) of the file owner. -type: date +type: keyword + +example: 1001 -- -*`file.ctime`*:: +*`threat.enrichments.indicator.first_seen`*:: + -- -Last time the file attributes or metadata changed. -Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. +The date and time when intelligence source first reported sighting this indicator. type: date +example: 2020-11-05T17:25:47.000Z + -- -*`file.device`*:: +*`threat.enrichments.indicator.geo.city_name`*:: + -- -Device that is the source of the file. +City name. type: keyword -example: sda +example: Montreal -- -*`file.directory`*:: +*`threat.enrichments.indicator.geo.continent_code`*:: + -- -Directory where the file is located. It should include the drive letter, when appropriate. +Two-letter code representing continent's name. type: keyword -example: /home/alice +example: NA -- -*`file.drive_letter`*:: +*`threat.enrichments.indicator.geo.continent_name`*:: + -- -Drive letter where the file is located. This field is only relevant on Windows. -The value should be uppercase, and not include the colon. +Name of the continent. type: keyword -example: C +example: North America -- -*`file.elf.architecture`*:: +*`threat.enrichments.indicator.geo.country_iso_code`*:: + -- -Machine architecture of the ELF file. +Country ISO code. type: keyword -example: x86-64 +example: CA -- -*`file.elf.byte_order`*:: +*`threat.enrichments.indicator.geo.country_name`*:: + -- -Byte sequence of ELF file. +Country name. type: keyword -example: Little Endian +example: Canada -- -*`file.elf.cpu_type`*:: +*`threat.enrichments.indicator.geo.location`*:: + -- -CPU type of the ELF file. +Longitude and latitude. -type: keyword +type: geo_point -example: Intel +example: { "lon": -73.614830, "lat": 45.505918 } -- -*`file.elf.creation_date`*:: +*`threat.enrichments.indicator.geo.name`*:: + -- -Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. -type: date +type: keyword + +example: boston-dc -- -*`file.elf.exports`*:: +*`threat.enrichments.indicator.geo.postal_code`*:: + -- -List of exported element names and types. +Postal code associated with the location. +Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. -type: flattened +type: keyword + +example: 94040 -- -*`file.elf.header.abi_version`*:: +*`threat.enrichments.indicator.geo.region_iso_code`*:: + -- -Version of the ELF Application Binary Interface (ABI). +Region ISO code. type: keyword +example: CA-QC + -- -*`file.elf.header.class`*:: +*`threat.enrichments.indicator.geo.region_name`*:: + -- -Header class of the ELF file. +Region name. type: keyword +example: Quebec + -- -*`file.elf.header.data`*:: +*`threat.enrichments.indicator.geo.timezone`*:: + -- -Data table of the ELF header. +The time zone of the location, such as IANA time zone name. type: keyword +example: America/Argentina/Buenos_Aires + -- -*`file.elf.header.entrypoint`*:: +*`threat.enrichments.indicator.hash.md5`*:: + -- -Header entrypoint of the ELF file. - -type: long +MD5 hash. -format: string +type: keyword -- -*`file.elf.header.object_version`*:: +*`threat.enrichments.indicator.hash.sha1`*:: + -- -"0x1" for original ELF files. +SHA1 hash. type: keyword -- -*`file.elf.header.os_abi`*:: +*`threat.enrichments.indicator.hash.sha256`*:: + -- -Application Binary Interface (ABI) of the Linux OS. +SHA256 hash. type: keyword -- -*`file.elf.header.type`*:: +*`threat.enrichments.indicator.hash.sha512`*:: + -- -Header type of the ELF file. +SHA512 hash. type: keyword -- -*`file.elf.header.version`*:: +*`threat.enrichments.indicator.hash.ssdeep`*:: + -- -Version of the ELF header. +SSDEEP hash. type: keyword -- -*`file.elf.imports`*:: +*`threat.enrichments.indicator.ip`*:: + -- -List of imported element names and types. +Identifies a threat indicator as an IP address (irrespective of direction). -type: flattened +type: ip + +example: 1.2.3.4 -- -*`file.elf.sections`*:: +*`threat.enrichments.indicator.last_seen`*:: + -- -An array containing an object for each section of the ELF file. -The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`. +The date and time when intelligence source last reported sighting this indicator. -type: nested +type: date + +example: 2020-11-05T17:25:47.000Z -- -*`file.elf.sections.chi2`*:: +*`threat.enrichments.indicator.marking.tlp`*:: + -- -Chi-square probability distribution of the section. +Traffic Light Protocol sharing markings. Recommended values are: + * WHITE + * GREEN + * AMBER + * RED -type: long +type: keyword -format: number +example: White -- -*`file.elf.sections.entropy`*:: +*`threat.enrichments.indicator.modified_at`*:: + -- -Shannon entropy calculation from the section. +The date and time when intelligence source last modified information for this indicator. -type: long +type: date -format: number +example: 2020-11-05T17:25:47.000Z -- -*`file.elf.sections.flags`*:: +*`threat.enrichments.indicator.pe.architecture`*:: + -- -ELF Section List flags. +CPU architecture target for the file. type: keyword +example: x64 + -- -*`file.elf.sections.name`*:: +*`threat.enrichments.indicator.pe.company`*:: + -- -ELF Section List name. +Internal company name of the file, provided at compile-time. type: keyword +example: Microsoft Corporation + -- -*`file.elf.sections.physical_offset`*:: +*`threat.enrichments.indicator.pe.description`*:: + -- -ELF Section List offset. +Internal description of the file, provided at compile-time. type: keyword +example: Paint + -- -*`file.elf.sections.physical_size`*:: +*`threat.enrichments.indicator.pe.file_version`*:: + -- -ELF Section List physical size. +Internal version of the file, provided at compile-time. -type: long +type: keyword -format: bytes +example: 6.3.9600.17415 -- -*`file.elf.sections.type`*:: +*`threat.enrichments.indicator.pe.imphash`*:: + -- -ELF Section List type. +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. type: keyword +example: 0c6803c4e922103c4dca5963aad36ddf + -- -*`file.elf.sections.virtual_address`*:: +*`threat.enrichments.indicator.pe.original_file_name`*:: + -- -ELF Section List virtual address. +Internal name of the file, provided at compile-time. -type: long +type: keyword -format: string +example: MSPAINT.EXE -- -*`file.elf.sections.virtual_size`*:: +*`threat.enrichments.indicator.pe.product`*:: + -- -ELF Section List virtual size. +Internal product name of the file, provided at compile-time. -type: long +type: keyword -format: string +example: Microsoft® Windows® Operating System -- -*`file.elf.segments`*:: +*`threat.enrichments.indicator.port`*:: + -- -An array containing an object for each segment of the ELF file. -The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`. - -type: nested - --- +Identifies a threat indicator as a port number (irrespective of direction). -*`file.elf.segments.sections`*:: -+ --- -ELF object segment sections. +type: long -type: keyword +example: 443 -- -*`file.elf.segments.type`*:: +*`threat.enrichments.indicator.provider`*:: + -- -ELF object segment type. +The name of the indicator's provider. type: keyword --- - -*`file.elf.shared_libraries`*:: -+ --- -List of shared libraries used by this ELF object. - -type: keyword +example: lrz_urlhaus -- -*`file.elf.telfhash`*:: +*`threat.enrichments.indicator.reference`*:: + -- -telfhash symbol hash for ELF file. +Reference URL linking to additional information about this indicator. type: keyword +example: https://system.example.com/indicator/0001234 + -- -*`file.extension`*:: +*`threat.enrichments.indicator.registry.data.bytes`*:: + -- -File extension, excluding the leading dot. -Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). +Original bytes written with base64 encoding. +For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values. type: keyword -example: png +example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= -- -*`file.gid`*:: +*`threat.enrichments.indicator.registry.data.strings`*:: + -- -Primary group ID (GID) of the file. +Content when writing string types. +Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). type: keyword -example: 1001 +example: ["C:\rta\red_ttp\bin\myapp.exe"] -- -*`file.group`*:: +*`threat.enrichments.indicator.registry.data.type`*:: + -- -Primary group name of the file. +Standard registry type for encoding contents type: keyword -example: alice +example: REG_SZ -- -*`file.hash.md5`*:: +*`threat.enrichments.indicator.registry.hive`*:: + -- -MD5 hash. +Abbreviated name for the hive. type: keyword --- - -*`file.hash.sha1`*:: -+ --- -SHA1 hash. - -type: keyword +example: HKLM -- -*`file.hash.sha256`*:: +*`threat.enrichments.indicator.registry.key`*:: + -- -SHA256 hash. +Hive-relative path of keys. type: keyword +example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + -- -*`file.hash.sha512`*:: +*`threat.enrichments.indicator.registry.path`*:: + -- -SHA512 hash. +Full path, including hive, key and value type: keyword +example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger + -- -*`file.hash.ssdeep`*:: +*`threat.enrichments.indicator.registry.value`*:: + -- -SSDEEP hash. +Name of the value written. type: keyword +example: Debugger + -- -*`file.inode`*:: +*`threat.enrichments.indicator.scanner_stats`*:: + -- -Inode representing the file in the filesystem. +Count of AV/EDR vendors that successfully detected malicious file or URL. -type: keyword +type: long -example: 256383 +example: 4 -- -*`file.mime_type`*:: +*`threat.enrichments.indicator.sightings`*:: + -- -MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. +Number of times this indicator was observed conducting threat activity. -type: keyword +type: long + +example: 20 -- -*`file.mode`*:: +*`threat.enrichments.indicator.type`*:: + -- -Mode of the file in octal representation. +Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: + * autonomous-system + * artifact + * directory + * domain-name + * email-addr + * file + * ipv4-addr + * ipv6-addr + * mac-addr + * mutex + * port + * process + * software + * url + * user-account + * windows-registry-key + * x509-certificate type: keyword -example: 0640 +example: ipv4-addr -- -*`file.mtime`*:: +*`threat.enrichments.indicator.url.domain`*:: + -- -Last time the file content was modified. +Domain of the url, such as "www.elastic.co". +In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. +If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. -type: date +type: keyword + +example: www.elastic.co -- -*`file.name`*:: +*`threat.enrichments.indicator.url.extension`*:: + -- -Name of the file including the extension, without the directory. +The field contains the file extension from the original request url, excluding the leading dot. +The file extension is only set if it exists, as not every url has a file extension. +The leading period must not be included. For example, the value must be "png", not ".png". +Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). type: keyword -example: example.png +example: png -- -*`file.owner`*:: +*`threat.enrichments.indicator.url.fragment`*:: + -- -File owner's username. +Portion of the url after the `#`, such as "top". +The `#` is not part of the fragment. type: keyword -example: alice - -- -*`file.path`*:: +*`threat.enrichments.indicator.url.full`*:: + -- -Full path to the file, including the file name. It should include the drive letter, when appropriate. +If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. type: keyword -example: /home/alice/example.png +example: https://www.elastic.co:443/search?q=elasticsearch#top -- -*`file.path.text`*:: +*`threat.enrichments.indicator.url.full.text`*:: + -- type: text -- -*`file.pe.architecture`*:: +*`threat.enrichments.indicator.url.original`*:: + -- -CPU architecture target for the file. +Unmodified original url as seen in the event source. +Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. +This field is meant to represent the URL as it was observed, complete or not. type: keyword -example: x64 +example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch -- -*`file.pe.company`*:: +*`threat.enrichments.indicator.url.original.text`*:: + -- -Internal company name of the file, provided at compile-time. - -type: keyword - -example: Microsoft Corporation +type: text -- -*`file.pe.description`*:: +*`threat.enrichments.indicator.url.password`*:: + -- -Internal description of the file, provided at compile-time. +Password of the request. type: keyword -example: Paint - -- -*`file.pe.file_version`*:: +*`threat.enrichments.indicator.url.path`*:: + -- -Internal version of the file, provided at compile-time. +Path of the request, such as "/search". type: keyword -example: 6.3.9600.17415 - -- -*`file.pe.imphash`*:: +*`threat.enrichments.indicator.url.port`*:: + -- -A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. -Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. +Port of the request, such as 443. -type: keyword +type: long -example: 0c6803c4e922103c4dca5963aad36ddf +example: 443 + +format: string -- -*`file.pe.original_file_name`*:: +*`threat.enrichments.indicator.url.query`*:: + -- -Internal name of the file, provided at compile-time. +The query field describes the query string of the request, such as "q=elasticsearch". +The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. type: keyword -example: MSPAINT.EXE - -- -*`file.pe.product`*:: +*`threat.enrichments.indicator.url.registered_domain`*:: + -- -Internal product name of the file, provided at compile-time. +The highest registered url domain, stripped of the subdomain. +For example, the registered domain for "foo.example.com" is "example.com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: Microsoft® Windows® Operating System +example: example.com -- -*`file.size`*:: +*`threat.enrichments.indicator.url.scheme`*:: + -- -File size in bytes. -Only relevant when `file.type` is "file". +Scheme of the request, such as "https". +Note: The `:` is not part of the scheme. -type: long +type: keyword -example: 16384 +example: https -- -*`file.target_path`*:: +*`threat.enrichments.indicator.url.subdomain`*:: + -- -Target path for symlinks. +The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. +For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. type: keyword --- - -*`file.target_path.text`*:: -+ --- -type: text +example: east -- -*`file.type`*:: +*`threat.enrichments.indicator.url.top_level_domain`*:: + -- -File type (file, dir, or symlink). +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword -example: file +example: co.uk -- -*`file.uid`*:: +*`threat.enrichments.indicator.url.username`*:: + -- -The user ID (UID) or security identifier (SID) of the file owner. +Username of the request. type: keyword -example: 1001 - -- -*`file.x509.alternative_names`*:: +*`threat.enrichments.indicator.x509.alternative_names`*:: + -- List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. @@ -43499,7 +44480,7 @@ example: *.elastic.co -- -*`file.x509.issuer.common_name`*:: +*`threat.enrichments.indicator.x509.issuer.common_name`*:: + -- List of common name (CN) of issuing certificate authority. @@ -43510,7 +44491,7 @@ example: Example SHA2 High Assurance Server CA -- -*`file.x509.issuer.country`*:: +*`threat.enrichments.indicator.x509.issuer.country`*:: + -- List of country (C) codes @@ -43521,7 +44502,7 @@ example: US -- -*`file.x509.issuer.distinguished_name`*:: +*`threat.enrichments.indicator.x509.issuer.distinguished_name`*:: + -- Distinguished name (DN) of issuing certificate authority. @@ -43532,7 +44513,7 @@ example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance -- -*`file.x509.issuer.locality`*:: +*`threat.enrichments.indicator.x509.issuer.locality`*:: + -- List of locality names (L) @@ -43543,7 +44524,7 @@ example: Mountain View -- -*`file.x509.issuer.organization`*:: +*`threat.enrichments.indicator.x509.issuer.organization`*:: + -- List of organizations (O) of issuing certificate authority. @@ -43554,7 +44535,7 @@ example: Example Inc -- -*`file.x509.issuer.organizational_unit`*:: +*`threat.enrichments.indicator.x509.issuer.organizational_unit`*:: + -- List of organizational units (OU) of issuing certificate authority. @@ -43565,7 +44546,7 @@ example: www.example.com -- -*`file.x509.issuer.state_or_province`*:: +*`threat.enrichments.indicator.x509.issuer.state_or_province`*:: + -- List of state or province names (ST, S, or P) @@ -43576,7 +44557,7 @@ example: California -- -*`file.x509.not_after`*:: +*`threat.enrichments.indicator.x509.not_after`*:: + -- Time at which the certificate is no longer considered valid. @@ -43587,7 +44568,7 @@ example: 2020-07-16 03:15:39+00:00 -- -*`file.x509.not_before`*:: +*`threat.enrichments.indicator.x509.not_before`*:: + -- Time at which the certificate is first considered valid. @@ -43598,7 +44579,7 @@ example: 2019-08-16 01:40:25+00:00 -- -*`file.x509.public_key_algorithm`*:: +*`threat.enrichments.indicator.x509.public_key_algorithm`*:: + -- Algorithm used to generate the public key. @@ -43609,7 +44590,7 @@ example: RSA -- -*`file.x509.public_key_curve`*:: +*`threat.enrichments.indicator.x509.public_key_curve`*:: + -- The curve used by the elliptic curve public key algorithm. This is algorithm specific. @@ -43620,7 +44601,7 @@ example: nistp521 -- -*`file.x509.public_key_exponent`*:: +*`threat.enrichments.indicator.x509.public_key_exponent`*:: + -- Exponent used to derive the public key. This is algorithm specific. @@ -43633,7 +44614,7 @@ Field is not indexed. -- -*`file.x509.public_key_size`*:: +*`threat.enrichments.indicator.x509.public_key_size`*:: + -- The size of the public key space in bits. @@ -43644,7 +44625,7 @@ example: 2048 -- -*`file.x509.serial_number`*:: +*`threat.enrichments.indicator.x509.serial_number`*:: + -- Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. @@ -43655,7 +44636,7 @@ example: 55FBB9C7DEBF09809D12CCAA -- -*`file.x509.signature_algorithm`*:: +*`threat.enrichments.indicator.x509.signature_algorithm`*:: + -- Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. @@ -43666,7 +44647,7 @@ example: SHA256-RSA -- -*`file.x509.subject.common_name`*:: +*`threat.enrichments.indicator.x509.subject.common_name`*:: + -- List of common names (CN) of subject. @@ -43677,7 +44658,7 @@ example: shared.global.example.net -- -*`file.x509.subject.country`*:: +*`threat.enrichments.indicator.x509.subject.country`*:: + -- List of country (C) code @@ -43688,7 +44669,7 @@ example: US -- -*`file.x509.subject.distinguished_name`*:: +*`threat.enrichments.indicator.x509.subject.distinguished_name`*:: + -- Distinguished name (DN) of the certificate subject entity. @@ -43699,7 +44680,7 @@ example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global -- -*`file.x509.subject.locality`*:: +*`threat.enrichments.indicator.x509.subject.locality`*:: + -- List of locality names (L) @@ -43710,7 +44691,7 @@ example: San Francisco -- -*`file.x509.subject.organization`*:: +*`threat.enrichments.indicator.x509.subject.organization`*:: + -- List of organizations (O) of subject. @@ -43721,7 +44702,7 @@ example: Example, Inc. -- -*`file.x509.subject.organizational_unit`*:: +*`threat.enrichments.indicator.x509.subject.organizational_unit`*:: + -- List of organizational units (OU) of subject. @@ -43730,7 +44711,7 @@ type: keyword -- -*`file.x509.subject.state_or_province`*:: +*`threat.enrichments.indicator.x509.subject.state_or_province`*:: + -- List of state or province names (ST, S, or P) @@ -43741,7 +44722,7 @@ example: California -- -*`file.x509.version_number`*:: +*`threat.enrichments.indicator.x509.version_number`*:: + -- Version of x509 format. @@ -43752,17205 +44733,9568 @@ example: 3 -- -[float] -=== geo +*`threat.enrichments.matched.atomic`*:: ++ +-- +Identifies the atomic indicator value that matched a local environment endpoint or network event. -Geo fields can carry data about a specific location related to an event. -This geolocation information can be derived from techniques such as Geo IP, or be user-supplied. +type: keyword + +example: bad-domain.com +-- -*`geo.city_name`*:: +*`threat.enrichments.matched.field`*:: + -- -City name. +Identifies the field of the atomic indicator that matched a local environment endpoint or network event. type: keyword -example: Montreal +example: file.hash.sha256 -- -*`geo.continent_code`*:: +*`threat.enrichments.matched.id`*:: + -- -Two-letter code representing continent's name. +Identifies the _id of the indicator document enriching the event. type: keyword -example: NA +example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 -- -*`geo.continent_name`*:: +*`threat.enrichments.matched.index`*:: + -- -Name of the continent. +Identifies the _index of the indicator document enriching the event. type: keyword -example: North America +example: filebeat-8.0.0-2021.05.23-000011 -- -*`geo.country_iso_code`*:: +*`threat.enrichments.matched.type`*:: + -- -Country ISO code. +Identifies the type of match that caused the event to be enriched with the given indicator type: keyword -example: CA +example: indicator_match_rule -- -*`geo.country_name`*:: +*`threat.framework`*:: + -- -Country name. +Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. type: keyword -example: Canada +example: MITRE ATT&CK -- -*`geo.location`*:: +*`threat.group.alias`*:: + -- -Longitude and latitude. +The alias(es) of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group alias(es). -type: geo_point +type: keyword -example: { "lon": -73.614830, "lat": 45.505918 } +example: [ "Magecart Group 6" ] -- -*`geo.name`*:: +*`threat.group.id`*:: + -- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. +The id of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group id. type: keyword -example: boston-dc +example: G0037 -- -*`geo.postal_code`*:: +*`threat.group.name`*:: + -- -Postal code associated with the location. -Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. +The name of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group name. type: keyword -example: 94040 +example: FIN6 -- -*`geo.region_iso_code`*:: +*`threat.group.reference`*:: + -- -Region ISO code. +The reference URL of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group reference URL. type: keyword -example: CA-QC +example: https://attack.mitre.org/groups/G0037/ -- -*`geo.region_name`*:: +*`threat.indicator.as.number`*:: + -- -Region name. +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. -type: keyword +type: long -example: Quebec +example: 15169 -- -*`geo.timezone`*:: +*`threat.indicator.as.organization.name`*:: + -- -The time zone of the location, such as IANA time zone name. +Organization name. type: keyword -example: America/Argentina/Buenos_Aires +example: Google LLC -- -[float] -=== group - -The group fields are meant to represent groups that are relevant to the event. +*`threat.indicator.as.organization.name.text`*:: ++ +-- +type: text +-- -*`group.domain`*:: +*`threat.indicator.confidence`*:: + -- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. +Identifies the confidence rating assigned by the provider using STIX confidence scales. +Recommended values: + * Not Specified, None, Low, Medium, High + * 0-10 + * Admirality Scale (1-6) + * DNI Scale (5-95) + * WEP Scale (Impossible - Certain) type: keyword +example: High + -- -*`group.id`*:: +*`threat.indicator.description`*:: + -- -Unique identifier for the group on the system/platform. +Describes the type of action conducted by the threat. type: keyword +example: IP x.x.x.x was observed delivering the Angler EK. + -- -*`group.name`*:: +*`threat.indicator.email.address`*:: + -- -Name of the group. +Identifies a threat indicator as an email address (irrespective of direction). type: keyword +example: phish@example.com + -- -[float] -=== hash +*`threat.indicator.file.accessed`*:: ++ +-- +Last time the file was accessed. +Note that not all filesystems keep track of access time. -The hash fields represent different bitwise hash algorithms and their values. -Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). -Note that this fieldset is used for common hashes that may be computed over a range of generic bytes. Entity-specific hashes such as ja3 or imphash are placed in the fieldsets to which they relate (tls and pe, respectively). +type: date +-- -*`hash.md5`*:: +*`threat.indicator.file.attributes`*:: + -- -MD5 hash. +Array of file attributes. +Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. type: keyword +example: ["readonly", "system"] + -- -*`hash.sha1`*:: +*`threat.indicator.file.code_signature.exists`*:: + -- -SHA1 hash. +Boolean to capture if a signature is present. -type: keyword +type: boolean + +example: true -- -*`hash.sha256`*:: +*`threat.indicator.file.code_signature.signing_id`*:: + -- -SHA256 hash. +The identifier used to sign the process. +This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. type: keyword +example: com.apple.xpc.proxy + -- -*`hash.sha512`*:: +*`threat.indicator.file.code_signature.status`*:: + -- -SHA512 hash. +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. type: keyword +example: ERROR_UNTRUSTED_ROOT + -- -*`hash.ssdeep`*:: +*`threat.indicator.file.code_signature.subject_name`*:: + -- -SSDEEP hash. +Subject name of the code signer type: keyword --- - -[float] -=== host - -A host is defined as a general computing instance. -ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. +example: Microsoft Corporation +-- -*`host.architecture`*:: +*`threat.indicator.file.code_signature.team_id`*:: + -- -Operating system architecture. +The team identifier used to sign the process. +This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. type: keyword -example: x86_64 +example: EQHXZ8M8AV -- -*`host.cpu.usage`*:: +*`threat.indicator.file.code_signature.trusted`*:: + -- -Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. -Scaling factor: 1000. -For example: For a two core host, this value should be the average of the two cores, between 0 and 1. +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. -type: scaled_float +type: boolean + +example: true -- -*`host.disk.read.bytes`*:: +*`threat.indicator.file.code_signature.valid`*:: + -- -The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. -type: long +type: boolean + +example: true -- -*`host.disk.write.bytes`*:: +*`threat.indicator.file.created`*:: + -- -The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. +File creation time. +Note that not all filesystems store the creation time. -type: long +type: date -- -*`host.domain`*:: +*`threat.indicator.file.ctime`*:: + -- -Name of the domain of which the host is a member. -For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. - -type: keyword +Last time the file attributes or metadata changed. +Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. -example: CONTOSO +type: date -- -*`host.geo.city_name`*:: +*`threat.indicator.file.device`*:: + -- -City name. +Device that is the source of the file. type: keyword -example: Montreal +example: sda -- -*`host.geo.continent_code`*:: +*`threat.indicator.file.directory`*:: + -- -Two-letter code representing continent's name. +Directory where the file is located. It should include the drive letter, when appropriate. type: keyword -example: NA +example: /home/alice -- -*`host.geo.continent_name`*:: +*`threat.indicator.file.drive_letter`*:: + -- -Name of the continent. +Drive letter where the file is located. This field is only relevant on Windows. +The value should be uppercase, and not include the colon. type: keyword -example: North America +example: C -- -*`host.geo.country_iso_code`*:: +*`threat.indicator.file.elf.architecture`*:: + -- -Country ISO code. +Machine architecture of the ELF file. type: keyword -example: CA +example: x86-64 -- -*`host.geo.country_name`*:: +*`threat.indicator.file.elf.byte_order`*:: + -- -Country name. +Byte sequence of ELF file. type: keyword -example: Canada +example: Little Endian -- -*`host.geo.location`*:: +*`threat.indicator.file.elf.cpu_type`*:: + -- -Longitude and latitude. +CPU type of the ELF file. -type: geo_point +type: keyword -example: { "lon": -73.614830, "lat": 45.505918 } +example: Intel -- -*`host.geo.name`*:: +*`threat.indicator.file.elf.creation_date`*:: + -- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. - -type: keyword +Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. -example: boston-dc +type: date -- -*`host.geo.postal_code`*:: +*`threat.indicator.file.elf.exports`*:: + -- -Postal code associated with the location. -Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. - -type: keyword +List of exported element names and types. -example: 94040 +type: flattened -- -*`host.geo.region_iso_code`*:: +*`threat.indicator.file.elf.header.abi_version`*:: + -- -Region ISO code. +Version of the ELF Application Binary Interface (ABI). type: keyword -example: CA-QC - -- -*`host.geo.region_name`*:: +*`threat.indicator.file.elf.header.class`*:: + -- -Region name. +Header class of the ELF file. type: keyword -example: Quebec - -- -*`host.geo.timezone`*:: +*`threat.indicator.file.elf.header.data`*:: + -- -The time zone of the location, such as IANA time zone name. +Data table of the ELF header. type: keyword -example: America/Argentina/Buenos_Aires - -- -*`host.hostname`*:: +*`threat.indicator.file.elf.header.entrypoint`*:: + -- -Hostname of the host. -It normally contains what the `hostname` command returns on the host machine. +Header entrypoint of the ELF file. -type: keyword +type: long + +format: string -- -*`host.id`*:: +*`threat.indicator.file.elf.header.object_version`*:: + -- -Unique host id. -As hostname is not always unique, use values that are meaningful in your environment. -Example: The current usage of `beat.name`. +"0x1" for original ELF files. type: keyword -- -*`host.ip`*:: +*`threat.indicator.file.elf.header.os_abi`*:: + -- -Host ip addresses. +Application Binary Interface (ABI) of the Linux OS. -type: ip +type: keyword -- -*`host.mac`*:: +*`threat.indicator.file.elf.header.type`*:: + -- -Host MAC addresses. -The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. +Header type of the ELF file. type: keyword -example: ["00-00-5E-00-53-23", "00-00-5E-00-53-24"] - -- -*`host.name`*:: +*`threat.indicator.file.elf.header.version`*:: + -- -Name of the host. -It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. +Version of the ELF header. type: keyword -- -*`host.network.egress.bytes`*:: +*`threat.indicator.file.elf.imports`*:: + -- -The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. +List of imported element names and types. -type: long +type: flattened -- -*`host.network.egress.packets`*:: +*`threat.indicator.file.elf.sections`*:: + -- -The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. +An array containing an object for each section of the ELF file. +The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`. -type: long +type: nested -- -*`host.network.ingress.bytes`*:: +*`threat.indicator.file.elf.sections.chi2`*:: + -- -The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. +Chi-square probability distribution of the section. type: long +format: number + -- -*`host.network.ingress.packets`*:: +*`threat.indicator.file.elf.sections.entropy`*:: + -- -The number of packets (gauge) received on all network interfaces by the host since the last metric collection. +Shannon entropy calculation from the section. type: long +format: number + -- -*`host.os.family`*:: +*`threat.indicator.file.elf.sections.flags`*:: + -- -OS family (such as redhat, debian, freebsd, windows). +ELF Section List flags. type: keyword -example: debian - -- -*`host.os.full`*:: +*`threat.indicator.file.elf.sections.name`*:: + -- -Operating system name, including the version or code name. +ELF Section List name. type: keyword -example: Mac OS Mojave - --- - -*`host.os.full.text`*:: -+ --- -type: text - -- -*`host.os.kernel`*:: +*`threat.indicator.file.elf.sections.physical_offset`*:: + -- -Operating system kernel version as a raw string. +ELF Section List offset. type: keyword -example: 4.4.0-112-generic - -- -*`host.os.name`*:: +*`threat.indicator.file.elf.sections.physical_size`*:: + -- -Operating system name, without the version. +ELF Section List physical size. -type: keyword +type: long -example: Mac OS X +format: bytes -- -*`host.os.name.text`*:: +*`threat.indicator.file.elf.sections.type`*:: + -- -type: text +ELF Section List type. + +type: keyword -- -*`host.os.platform`*:: +*`threat.indicator.file.elf.sections.virtual_address`*:: + -- -Operating system platform (such centos, ubuntu, windows). +ELF Section List virtual address. -type: keyword +type: long -example: darwin +format: string -- -*`host.os.type`*:: +*`threat.indicator.file.elf.sections.virtual_size`*:: + -- -Use the `os.type` field to categorize the operating system into one of the broad commercial families. -One of these following values should be used (lowercase): linux, macos, unix, windows. -If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. +ELF Section List virtual size. -type: keyword +type: long -example: macos +format: string -- -*`host.os.version`*:: +*`threat.indicator.file.elf.segments`*:: + -- -Operating system version as a raw string. - -type: keyword +An array containing an object for each segment of the ELF file. +The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`. -example: 10.14.1 +type: nested -- -*`host.type`*:: +*`threat.indicator.file.elf.segments.sections`*:: + -- -Type of host. -For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. +ELF object segment sections. type: keyword -- -*`host.uptime`*:: +*`threat.indicator.file.elf.segments.type`*:: + -- -Seconds the host has been up. - -type: long +ELF object segment type. -example: 1325 +type: keyword -- -*`host.user.domain`*:: +*`threat.indicator.file.elf.shared_libraries`*:: + -- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. +List of shared libraries used by this ELF object. type: keyword -- -*`host.user.email`*:: +*`threat.indicator.file.elf.telfhash`*:: + -- -User email address. +telfhash symbol hash for ELF file. type: keyword -- -*`host.user.full_name`*:: +*`threat.indicator.file.extension`*:: + -- -User's full name, if available. +File extension, excluding the leading dot. +Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). type: keyword -example: Albert Einstein +example: png -- -*`host.user.full_name.text`*:: +*`threat.indicator.file.gid`*:: + -- -type: text +Primary group ID (GID) of the file. + +type: keyword + +example: 1001 -- -*`host.user.group.domain`*:: +*`threat.indicator.file.group`*:: + -- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. +Primary group name of the file. type: keyword +example: alice + -- -*`host.user.group.id`*:: +*`threat.indicator.file.inode`*:: + -- -Unique identifier for the group on the system/platform. +Inode representing the file in the filesystem. type: keyword +example: 256383 + -- -*`host.user.group.name`*:: +*`threat.indicator.file.mime_type`*:: + -- -Name of the group. +MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. type: keyword -- -*`host.user.hash`*:: +*`threat.indicator.file.mode`*:: + -- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. +Mode of the file in octal representation. type: keyword +example: 0640 + -- -*`host.user.id`*:: +*`threat.indicator.file.mtime`*:: + -- -Unique identifier of the user. +Last time the file content was modified. -type: keyword +type: date -- -*`host.user.name`*:: +*`threat.indicator.file.name`*:: + -- -Short name or login of the user. +Name of the file including the extension, without the directory. type: keyword -example: albert +example: example.png -- -*`host.user.name.text`*:: +*`threat.indicator.file.owner`*:: + -- -type: text +File owner's username. + +type: keyword + +example: alice -- -*`host.user.roles`*:: +*`threat.indicator.file.path`*:: + -- -Array of user roles at the time of the event. +Full path to the file, including the file name. It should include the drive letter, when appropriate. type: keyword -example: ["kibana_admin", "reporting_user"] +example: /home/alice/example.png -- -[float] -=== http - -Fields related to HTTP activity. Use the `url` field set to store the url of the request. +*`threat.indicator.file.path.text`*:: ++ +-- +type: text +-- -*`http.request.body.bytes`*:: +*`threat.indicator.file.size`*:: + -- -Size in bytes of the request body. +File size in bytes. +Only relevant when `file.type` is "file". type: long -example: 887 - -format: bytes +example: 16384 -- -*`http.request.body.content`*:: +*`threat.indicator.file.target_path`*:: + -- -The full HTTP request body. +Target path for symlinks. type: keyword -example: Hello world - -- -*`http.request.body.content.text`*:: +*`threat.indicator.file.target_path.text`*:: + -- type: text -- -*`http.request.bytes`*:: +*`threat.indicator.file.type`*:: + -- -Total size in bytes of the request (body and headers). - -type: long +File type (file, dir, or symlink). -example: 1437 +type: keyword -format: bytes +example: file -- -*`http.request.id`*:: +*`threat.indicator.file.uid`*:: + -- -A unique identifier for each HTTP request to correlate logs between clients and servers in transactions. -The id may be contained in a non-standard HTTP header, such as `X-Request-ID` or `X-Correlation-ID`. +The user ID (UID) or security identifier (SID) of the file owner. type: keyword -example: 123e4567-e89b-12d3-a456-426614174000 +example: 1001 -- -*`http.request.method`*:: +*`threat.indicator.first_seen`*:: + -- -HTTP request method. -Prior to ECS 1.6.0 the following guidance was provided: -"The field value must be normalized to lowercase for querying." -As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0 +The date and time when intelligence source first reported sighting this indicator. -type: keyword +type: date -example: GET, POST, PUT, PoST +example: 2020-11-05T17:25:47.000Z -- -*`http.request.mime_type`*:: +*`threat.indicator.geo.city_name`*:: + -- -Mime type of the body of the request. -This value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request's Content-Type header can be helpful in detecting threats or misconfigured clients. +City name. type: keyword -example: image/gif +example: Montreal -- -*`http.request.referrer`*:: +*`threat.indicator.geo.continent_code`*:: + -- -Referrer for this HTTP request. +Two-letter code representing continent's name. type: keyword -example: https://blog.example.com/ +example: NA -- -*`http.response.body.bytes`*:: +*`threat.indicator.geo.continent_name`*:: + -- -Size in bytes of the response body. - -type: long +Name of the continent. -example: 887 +type: keyword -format: bytes +example: North America -- -*`http.response.body.content`*:: +*`threat.indicator.geo.country_iso_code`*:: + -- -The full HTTP response body. +Country ISO code. type: keyword -example: Hello world +example: CA -- -*`http.response.body.content.text`*:: +*`threat.indicator.geo.country_name`*:: + -- -type: text +Country name. + +type: keyword + +example: Canada -- -*`http.response.bytes`*:: +*`threat.indicator.geo.location`*:: + -- -Total size in bytes of the response (body and headers). - -type: long +Longitude and latitude. -example: 1437 +type: geo_point -format: bytes +example: { "lon": -73.614830, "lat": 45.505918 } -- -*`http.response.mime_type`*:: +*`threat.indicator.geo.name`*:: + -- -Mime type of the body of the response. -This value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response's Content-Type header can be helpful in detecting misconfigured servers. +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. type: keyword -example: image/gif +example: boston-dc -- -*`http.response.status_code`*:: +*`threat.indicator.geo.postal_code`*:: + -- -HTTP response status code. - -type: long +Postal code associated with the location. +Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. -example: 404 +type: keyword -format: string +example: 94040 -- -*`http.version`*:: +*`threat.indicator.geo.region_iso_code`*:: + -- -HTTP version. +Region ISO code. type: keyword -example: 1.1 +example: CA-QC -- -[float] -=== interface - -The interface fields are used to record ingress and egress interface information when reported by an observer (e.g. firewall, router, load balancer) in the context of the observer handling a network connection. In the case of a single observer interface (e.g. network sensor on a span port) only the observer.ingress information should be populated. - - -*`interface.alias`*:: +*`threat.indicator.geo.region_name`*:: + -- -Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. +Region name. type: keyword -example: outside +example: Quebec -- -*`interface.id`*:: +*`threat.indicator.geo.timezone`*:: + -- -Interface ID as reported by an observer (typically SNMP interface ID). +The time zone of the location, such as IANA time zone name. type: keyword -example: 10 +example: America/Argentina/Buenos_Aires -- -*`interface.name`*:: +*`threat.indicator.hash.md5`*:: + -- -Interface name as reported by the system. +MD5 hash. type: keyword -example: eth0 - -- -[float] -=== log - -Details about the event's logging mechanism or logging transport. -The log.* fields are typically populated with details about the logging mechanism used to create and/or transport the event. For example, syslog details belong under `log.syslog.*`. -The details specific to your event source are typically not logged under `log.*`, but rather in `event.*` or in other ECS fields. - - -*`log.file.path`*:: +*`threat.indicator.hash.sha1`*:: + -- -Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. -If the event wasn't read from a log file, do not populate this field. +SHA1 hash. type: keyword -example: /var/log/fun-times.log - -- -*`log.level`*:: +*`threat.indicator.hash.sha256`*:: + -- -Original log level of the log event. -If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). -Some examples are `warn`, `err`, `i`, `informational`. +SHA256 hash. type: keyword -example: error - -- -*`log.logger`*:: +*`threat.indicator.hash.sha512`*:: + -- -The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. +SHA512 hash. type: keyword -example: org.elasticsearch.bootstrap.Bootstrap - -- -*`log.origin.file.line`*:: +*`threat.indicator.hash.ssdeep`*:: + -- -The line number of the file containing the source code which originated the log event. - -type: integer +SSDEEP hash. -example: 42 +type: keyword -- -*`log.origin.file.name`*:: +*`threat.indicator.ip`*:: + -- -The name of the file containing the source code which originated the log event. -Note that this field is not meant to capture the log file. The correct field to capture the log file is `log.file.path`. +Identifies a threat indicator as an IP address (irrespective of direction). -type: keyword +type: ip -example: Bootstrap.java +example: 1.2.3.4 -- -*`log.origin.function`*:: +*`threat.indicator.last_seen`*:: + -- -The name of the function or method which originated the log event. +The date and time when intelligence source last reported sighting this indicator. -type: keyword +type: date -example: init +example: 2020-11-05T17:25:47.000Z -- -*`log.original`*:: +*`threat.indicator.marking.tlp`*:: + -- -Deprecated for removal in next major version release. This field is superseded by `event.original`. -This is the original log message and contains the full log message before splitting it up in multiple parts. -In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. -This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. +Traffic Light Protocol sharing markings. +Recommended values are: + * WHITE + * GREEN + * AMBER + * RED type: keyword -example: Sep 19 08:26:10 localhost My log - -Field is not indexed. +example: WHITE -- -*`log.syslog`*:: +*`threat.indicator.modified_at`*:: + -- -The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164. +The date and time when intelligence source last modified information for this indicator. -type: object +type: date + +example: 2020-11-05T17:25:47.000Z -- -*`log.syslog.facility.code`*:: +*`threat.indicator.pe.architecture`*:: + -- -The Syslog numeric facility of the log event, if available. -According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. - -type: long +CPU architecture target for the file. -example: 23 +type: keyword -format: string +example: x64 -- -*`log.syslog.facility.name`*:: +*`threat.indicator.pe.company`*:: + -- -The Syslog text-based facility of the log event, if available. +Internal company name of the file, provided at compile-time. type: keyword -example: local7 +example: Microsoft Corporation -- -*`log.syslog.priority`*:: +*`threat.indicator.pe.description`*:: + -- -Syslog numeric priority of the event, if available. -According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - -type: long +Internal description of the file, provided at compile-time. -example: 135 +type: keyword -format: string +example: Paint -- -*`log.syslog.severity.code`*:: +*`threat.indicator.pe.file_version`*:: + -- -The Syslog numeric severity of the log event, if available. -If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. +Internal version of the file, provided at compile-time. -type: long +type: keyword -example: 3 +example: 6.3.9600.17415 -- -*`log.syslog.severity.name`*:: +*`threat.indicator.pe.imphash`*:: + -- -The Syslog numeric severity of the log event, if available. -If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. type: keyword -example: Error +example: 0c6803c4e922103c4dca5963aad36ddf -- -[float] -=== network +*`threat.indicator.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. -The network is defined as the communication path over which a host or network event happens. -The network.* fields should be populated with details about the network activity associated with an event. +type: keyword +example: MSPAINT.EXE -*`network.application`*:: +-- + +*`threat.indicator.pe.product`*:: + -- -A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". +Internal product name of the file, provided at compile-time. type: keyword -example: aim +example: Microsoft® Windows® Operating System -- -*`network.bytes`*:: +*`threat.indicator.port`*:: + -- -Total bytes transferred in both directions. -If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. +Identifies a threat indicator as a port number (irrespective of direction). type: long -example: 368 - -format: bytes +example: 443 -- -*`network.community_id`*:: +*`threat.indicator.provider`*:: + -- -A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. -Learn more at https://github.com/corelight/community-id-spec. +The name of the indicator's provider. type: keyword -example: 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0= +example: lrz_urlhaus -- -*`network.direction`*:: +*`threat.indicator.reference`*:: + -- -Direction of the network traffic. -Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - -When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". -When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". -Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. +Reference URL linking to additional information about this indicator. type: keyword -example: inbound +example: https://system.example.com/indicator/0001234 -- -*`network.forwarded_ip`*:: +*`threat.indicator.registry.data.bytes`*:: + -- -Host IP address when the source IP address is the proxy. +Original bytes written with base64 encoding. +For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values. -type: ip +type: keyword -example: 192.1.1.2 +example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= -- -*`network.iana_number`*:: +*`threat.indicator.registry.data.strings`*:: + -- -IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. +Content when writing string types. +Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). type: keyword -example: 6 +example: ["C:\rta\red_ttp\bin\myapp.exe"] -- -*`network.inner`*:: +*`threat.indicator.registry.data.type`*:: + -- -Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) +Standard registry type for encoding contents -type: object +type: keyword + +example: REG_SZ -- -*`network.inner.vlan.id`*:: +*`threat.indicator.registry.hive`*:: + -- -VLAN ID as reported by the observer. +Abbreviated name for the hive. type: keyword -example: 10 +example: HKLM -- -*`network.inner.vlan.name`*:: +*`threat.indicator.registry.key`*:: + -- -Optional VLAN name as reported by the observer. +Hive-relative path of keys. type: keyword -example: outside +example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe -- -*`network.name`*:: +*`threat.indicator.registry.path`*:: + -- -Name given by operators to sections of their network. +Full path, including hive, key and value type: keyword -example: Guest Wifi +example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger -- -*`network.packets`*:: +*`threat.indicator.registry.value`*:: + -- -Total packets transferred in both directions. -If `source.packets` and `destination.packets` are known, `network.packets` is their sum. +Name of the value written. -type: long +type: keyword -example: 24 +example: Debugger -- -*`network.protocol`*:: +*`threat.indicator.scanner_stats`*:: + -- -L7 Network protocol name. ex. http, lumberjack, transport protocol. -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". +Count of AV/EDR vendors that successfully detected malicious file or URL. -type: keyword +type: long -example: http +example: 4 -- -*`network.transport`*:: +*`threat.indicator.sightings`*:: + -- -Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". +Number of times this indicator was observed conducting threat activity. -type: keyword +type: long -example: tcp +example: 20 -- -*`network.type`*:: +*`threat.indicator.type`*:: + -- -In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". +Type of indicator as represented by Cyber Observable in STIX 2.0. +Recommended values: + * autonomous-system + * artifact + * directory + * domain-name + * email-addr + * file + * ipv4-addr + * ipv6-addr + * mac-addr + * mutex + * port + * process + * software + * url + * user-account + * windows-registry-key + * x509-certificate type: keyword -example: ipv4 +example: ipv4-addr -- -*`network.vlan.id`*:: +*`threat.indicator.url.domain`*:: + -- -VLAN ID as reported by the observer. +Domain of the url, such as "www.elastic.co". +In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. +If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. type: keyword -example: 10 +example: www.elastic.co -- -*`network.vlan.name`*:: +*`threat.indicator.url.extension`*:: + -- -Optional VLAN name as reported by the observer. +The field contains the file extension from the original request url, excluding the leading dot. +The file extension is only set if it exists, as not every url has a file extension. +The leading period must not be included. For example, the value must be "png", not ".png". +Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). type: keyword -example: outside +example: png -- -[float] -=== observer - -An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics. -This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS. - - -*`observer.egress`*:: +*`threat.indicator.url.fragment`*:: + -- -Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. +Portion of the url after the `#`, such as "top". +The `#` is not part of the fragment. -type: object +type: keyword -- -*`observer.egress.interface.alias`*:: +*`threat.indicator.url.full`*:: + -- -Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. +If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. type: keyword -example: outside +example: https://www.elastic.co:443/search?q=elasticsearch#top -- -*`observer.egress.interface.id`*:: +*`threat.indicator.url.full.text`*:: + -- -Interface ID as reported by an observer (typically SNMP interface ID). - -type: keyword - -example: 10 +type: text -- -*`observer.egress.interface.name`*:: +*`threat.indicator.url.original`*:: + -- -Interface name as reported by the system. +Unmodified original url as seen in the event source. +Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. +This field is meant to represent the URL as it was observed, complete or not. type: keyword -example: eth0 +example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch -- -*`observer.egress.vlan.id`*:: +*`threat.indicator.url.original.text`*:: + -- -VLAN ID as reported by the observer. - -type: keyword - -example: 10 +type: text -- -*`observer.egress.vlan.name`*:: +*`threat.indicator.url.password`*:: + -- -Optional VLAN name as reported by the observer. +Password of the request. type: keyword -example: outside - -- -*`observer.egress.zone`*:: +*`threat.indicator.url.path`*:: + -- -Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. +Path of the request, such as "/search". type: keyword -example: Public_Internet - -- -*`observer.geo.city_name`*:: +*`threat.indicator.url.port`*:: + -- -City name. +Port of the request, such as 443. -type: keyword +type: long -example: Montreal +example: 443 + +format: string -- -*`observer.geo.continent_code`*:: +*`threat.indicator.url.query`*:: + -- -Two-letter code representing continent's name. +The query field describes the query string of the request, such as "q=elasticsearch". +The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. type: keyword -example: NA - -- -*`observer.geo.continent_name`*:: +*`threat.indicator.url.registered_domain`*:: + -- -Name of the continent. +The highest registered url domain, stripped of the subdomain. +For example, the registered domain for "foo.example.com" is "example.com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: North America +example: example.com -- -*`observer.geo.country_iso_code`*:: +*`threat.indicator.url.scheme`*:: + -- -Country ISO code. +Scheme of the request, such as "https". +Note: The `:` is not part of the scheme. type: keyword -example: CA +example: https -- -*`observer.geo.country_name`*:: +*`threat.indicator.url.subdomain`*:: + -- -Country name. +The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. +For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. type: keyword -example: Canada +example: east -- -*`observer.geo.location`*:: +*`threat.indicator.url.top_level_domain`*:: + -- -Longitude and latitude. +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". -type: geo_point +type: keyword -example: { "lon": -73.614830, "lat": 45.505918 } +example: co.uk -- -*`observer.geo.name`*:: +*`threat.indicator.url.username`*:: + -- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. +Username of the request. type: keyword -example: boston-dc - -- -*`observer.geo.postal_code`*:: +*`threat.indicator.x509.alternative_names`*:: + -- -Postal code associated with the location. -Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. type: keyword -example: 94040 +example: *.elastic.co -- -*`observer.geo.region_iso_code`*:: +*`threat.indicator.x509.issuer.common_name`*:: + -- -Region ISO code. +List of common name (CN) of issuing certificate authority. type: keyword -example: CA-QC +example: Example SHA2 High Assurance Server CA -- -*`observer.geo.region_name`*:: +*`threat.indicator.x509.issuer.country`*:: + -- -Region name. +List of country (C) codes type: keyword -example: Quebec +example: US -- -*`observer.geo.timezone`*:: +*`threat.indicator.x509.issuer.distinguished_name`*:: + -- -The time zone of the location, such as IANA time zone name. +Distinguished name (DN) of issuing certificate authority. type: keyword -example: America/Argentina/Buenos_Aires +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA -- -*`observer.hostname`*:: +*`threat.indicator.x509.issuer.locality`*:: + -- -Hostname of the observer. +List of locality names (L) type: keyword +example: Mountain View + -- -*`observer.ingress`*:: +*`threat.indicator.x509.issuer.organization`*:: + -- -Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. +List of organizations (O) of issuing certificate authority. -type: object +type: keyword + +example: Example Inc -- -*`observer.ingress.interface.alias`*:: +*`threat.indicator.x509.issuer.organizational_unit`*:: + -- -Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. +List of organizational units (OU) of issuing certificate authority. type: keyword -example: outside +example: www.example.com -- -*`observer.ingress.interface.id`*:: +*`threat.indicator.x509.issuer.state_or_province`*:: + -- -Interface ID as reported by an observer (typically SNMP interface ID). +List of state or province names (ST, S, or P) type: keyword -example: 10 +example: California -- -*`observer.ingress.interface.name`*:: +*`threat.indicator.x509.not_after`*:: + -- -Interface name as reported by the system. +Time at which the certificate is no longer considered valid. -type: keyword +type: date -example: eth0 +example: 2020-07-16 03:15:39+00:00 -- -*`observer.ingress.vlan.id`*:: +*`threat.indicator.x509.not_before`*:: + -- -VLAN ID as reported by the observer. +Time at which the certificate is first considered valid. -type: keyword +type: date -example: 10 +example: 2019-08-16 01:40:25+00:00 -- -*`observer.ingress.vlan.name`*:: +*`threat.indicator.x509.public_key_algorithm`*:: + -- -Optional VLAN name as reported by the observer. +Algorithm used to generate the public key. type: keyword -example: outside +example: RSA -- -*`observer.ingress.zone`*:: +*`threat.indicator.x509.public_key_curve`*:: + -- -Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. +The curve used by the elliptic curve public key algorithm. This is algorithm specific. type: keyword -example: DMZ +example: nistp521 -- -*`observer.ip`*:: +*`threat.indicator.x509.public_key_exponent`*:: + -- -IP addresses of the observer. +Exponent used to derive the public key. This is algorithm specific. -type: ip +type: long + +example: 65537 + +Field is not indexed. -- -*`observer.mac`*:: +*`threat.indicator.x509.public_key_size`*:: + -- -MAC addresses of the observer. -The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. +The size of the public key space in bits. -type: keyword +type: long -example: ["00-00-5E-00-53-23", "00-00-5E-00-53-24"] +example: 2048 -- -*`observer.name`*:: +*`threat.indicator.x509.serial_number`*:: + -- -Custom name of the observer. -This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. -If no custom name is needed, the field can be left empty. +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. type: keyword -example: 1_proxySG +example: 55FBB9C7DEBF09809D12CCAA -- -*`observer.os.family`*:: +*`threat.indicator.x509.signature_algorithm`*:: + -- -OS family (such as redhat, debian, freebsd, windows). +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword -example: debian +example: SHA256-RSA -- -*`observer.os.full`*:: +*`threat.indicator.x509.subject.common_name`*:: + -- -Operating system name, including the version or code name. +List of common names (CN) of subject. type: keyword -example: Mac OS Mojave +example: shared.global.example.net -- -*`observer.os.full.text`*:: +*`threat.indicator.x509.subject.country`*:: + -- -type: text +List of country (C) code + +type: keyword + +example: US -- -*`observer.os.kernel`*:: +*`threat.indicator.x509.subject.distinguished_name`*:: + -- -Operating system kernel version as a raw string. +Distinguished name (DN) of the certificate subject entity. type: keyword -example: 4.4.0-112-generic +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net -- -*`observer.os.name`*:: +*`threat.indicator.x509.subject.locality`*:: + -- -Operating system name, without the version. +List of locality names (L) type: keyword -example: Mac OS X +example: San Francisco -- -*`observer.os.name.text`*:: +*`threat.indicator.x509.subject.organization`*:: + -- -type: text +List of organizations (O) of subject. + +type: keyword + +example: Example, Inc. -- -*`observer.os.platform`*:: +*`threat.indicator.x509.subject.organizational_unit`*:: + -- -Operating system platform (such centos, ubuntu, windows). +List of organizational units (OU) of subject. type: keyword -example: darwin - -- -*`observer.os.type`*:: +*`threat.indicator.x509.subject.state_or_province`*:: + -- -Use the `os.type` field to categorize the operating system into one of the broad commercial families. -One of these following values should be used (lowercase): linux, macos, unix, windows. -If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. +List of state or province names (ST, S, or P) type: keyword -example: macos +example: California -- -*`observer.os.version`*:: +*`threat.indicator.x509.version_number`*:: + -- -Operating system version as a raw string. +Version of x509 format. type: keyword -example: 10.14.1 +example: 3 -- -*`observer.product`*:: +*`threat.software.id`*:: + -- -The product name of the observer. +The id of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software id. type: keyword -example: s200 +example: S0552 -- -*`observer.serial_number`*:: +*`threat.software.name`*:: + -- -Observer serial number. +The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software name. type: keyword +example: AdFind + -- -*`observer.type`*:: +*`threat.software.platforms`*:: + -- -The type of the observer the data is coming from. -There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. +The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software platforms. +Recommended Values: + * AWS + * Azure + * Azure AD + * GCP + * Linux + * macOS + * Network + * Office 365 + * SaaS + * Windows type: keyword -example: firewall +example: [ "Windows" ] -- -*`observer.vendor`*:: +*`threat.software.reference`*:: + -- -Vendor name of the observer. +The reference URL of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software reference URL. type: keyword -example: Symantec +example: https://attack.mitre.org/software/S0552/ -- -*`observer.version`*:: +*`threat.software.type`*:: + -- -Observer version. +The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software type. +Recommended values + * Malware + * Tool type: keyword --- - -[float] -=== orchestrator - -Fields that describe the resources which container orchestrators manage or act upon. +example: Tool +-- -*`orchestrator.api_version`*:: +*`threat.tactic.id`*:: + -- -API version being used to carry out the action +The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) type: keyword -example: v1beta1 +example: TA0002 -- -*`orchestrator.cluster.name`*:: +*`threat.tactic.name`*:: + -- -Name of the cluster. +Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) type: keyword +example: Execution + -- -*`orchestrator.cluster.url`*:: +*`threat.tactic.reference`*:: + -- -URL of the API used to manage the cluster. +The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) type: keyword +example: https://attack.mitre.org/tactics/TA0002/ + -- -*`orchestrator.cluster.version`*:: +*`threat.technique.id`*:: + -- -The version of the cluster. +The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) type: keyword +example: T1059 + -- -*`orchestrator.namespace`*:: +*`threat.technique.name`*:: + -- -Namespace in which the action is taking place. +The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) type: keyword -example: kube-system +example: Command and Scripting Interpreter -- -*`orchestrator.organization`*:: +*`threat.technique.name.text`*:: + -- -Organization affected by the event (for multi-tenant orchestrator setups). - -type: keyword - -example: elastic +type: text -- -*`orchestrator.resource.name`*:: +*`threat.technique.reference`*:: + -- -Name of the resource being acted upon. +The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) type: keyword -example: test-pod-cdcws +example: https://attack.mitre.org/techniques/T1059/ -- -*`orchestrator.resource.type`*:: +*`threat.technique.subtechnique.id`*:: + -- -Type of resource being acted upon. +The full id of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/) type: keyword -example: service +example: T1059.001 -- -*`orchestrator.type`*:: +*`threat.technique.subtechnique.name`*:: + -- -Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). +The name of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/) type: keyword -example: kubernetes +example: PowerShell -- -[float] -=== organization - -The organization fields enrich data with information about the company or entity the data is associated with. -These fields help you arrange or filter data stored in an index by one or multiple organizations. - - -*`organization.id`*:: +*`threat.technique.subtechnique.name.text`*:: + -- -Unique identifier for the organization. - -type: keyword +type: text -- -*`organization.name`*:: +*`threat.technique.subtechnique.reference`*:: + -- -Organization name. +The reference url of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/) type: keyword --- - -*`organization.name.text`*:: -+ --- -type: text +example: https://attack.mitre.org/techniques/T1059/001/ -- [float] -=== os +=== tls -The OS fields contain information about the operating system. +Fields related to a TLS connection. These fields focus on the TLS protocol itself and intentionally avoids in-depth analysis of the related x.509 certificate files. -*`os.family`*:: +*`tls.cipher`*:: + -- -OS family (such as redhat, debian, freebsd, windows). +String indicating the cipher used during the current connection. type: keyword -example: debian +example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 -- -*`os.full`*:: +*`tls.client.certificate`*:: + -- -Operating system name, including the version or code name. +PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list. type: keyword -example: Mac OS Mojave +example: MII... -- -*`os.full.text`*:: +*`tls.client.certificate_chain`*:: + -- -type: text +Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. + +type: keyword + +example: ["MII...", "MII..."] -- -*`os.kernel`*:: +*`tls.client.hash.md5`*:: + -- -Operating system kernel version as a raw string. +Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. type: keyword -example: 4.4.0-112-generic +example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC -- -*`os.name`*:: +*`tls.client.hash.sha1`*:: + -- -Operating system name, without the version. +Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. type: keyword -example: Mac OS X +example: 9E393D93138888D288266C2D915214D1D1CCEB2A -- -*`os.name.text`*:: +*`tls.client.hash.sha256`*:: + -- -type: text +Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 -- -*`os.platform`*:: +*`tls.client.issuer`*:: + -- -Operating system platform (such centos, ubuntu, windows). +Distinguished name of subject of the issuer of the x.509 certificate presented by the client. type: keyword -example: darwin +example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com -- -*`os.type`*:: +*`tls.client.ja3`*:: + -- -Use the `os.type` field to categorize the operating system into one of the broad commercial families. -One of these following values should be used (lowercase): linux, macos, unix, windows. -If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. +A hash that identifies clients based on how they perform an SSL/TLS handshake. type: keyword -example: macos +example: d4e5b18d6b55c71272893221c96ba240 -- -*`os.version`*:: +*`tls.client.not_after`*:: + -- -Operating system version as a raw string. +Date/Time indicating when client certificate is no longer considered valid. -type: keyword +type: date -example: 10.14.1 +example: 2021-01-01T00:00:00.000Z -- -[float] -=== package - -These fields contain information about an installed software package. It contains general information about a package, such as name, version or size. It also contains installation details, such as time or location. - - -*`package.architecture`*:: +*`tls.client.not_before`*:: + -- -Package architecture. +Date/Time indicating when client certificate is first considered valid. -type: keyword +type: date -example: x86_64 +example: 1970-01-01T00:00:00.000Z -- -*`package.build_version`*:: +*`tls.client.server_name`*:: + -- -Additional information about the build version of the installed package. -For example use the commit SHA of a non-released package. +Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. type: keyword -example: 36f4f7e89dd61b0988b12ee000b98966867710cd +example: www.elastic.co -- -*`package.checksum`*:: +*`tls.client.subject`*:: + -- -Checksum of the installed package for verification. +Distinguished name of subject of the x.509 certificate presented by the client. type: keyword -example: 68b329da9893e34099c7d8ad5cb9c940 +example: CN=myclient, OU=Documentation Team, DC=example, DC=com -- -*`package.description`*:: +*`tls.client.supported_ciphers`*:: + -- -Description of the package. +Array of ciphers offered by the client during the client hello. type: keyword -example: Open source programming language to build simple/reliable/efficient software. +example: ["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "..."] -- -*`package.install_scope`*:: +*`tls.client.x509.alternative_names`*:: + -- -Indicating how the package was installed, e.g. user-local, global. +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. type: keyword -example: global +example: *.elastic.co -- -*`package.installed`*:: +*`tls.client.x509.issuer.common_name`*:: + -- -Time when package was installed. +List of common name (CN) of issuing certificate authority. -type: date +type: keyword + +example: Example SHA2 High Assurance Server CA -- -*`package.license`*:: +*`tls.client.x509.issuer.country`*:: + -- -License under which the package was released. -Use a short name, e.g. the license identifier from SPDX License List where possible (https://spdx.org/licenses/). +List of country (C) codes type: keyword -example: Apache License 2.0 +example: US -- -*`package.name`*:: +*`tls.client.x509.issuer.distinguished_name`*:: + -- -Package name +Distinguished name (DN) of issuing certificate authority. type: keyword -example: go +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA -- -*`package.path`*:: +*`tls.client.x509.issuer.locality`*:: + -- -Path where the package is installed. +List of locality names (L) type: keyword -example: /usr/local/Cellar/go/1.12.9/ +example: Mountain View -- -*`package.reference`*:: +*`tls.client.x509.issuer.organization`*:: + -- -Home page or reference URL of the software in this package, if available. +List of organizations (O) of issuing certificate authority. type: keyword -example: https://golang.org +example: Example Inc -- -*`package.size`*:: +*`tls.client.x509.issuer.organizational_unit`*:: + -- -Package size in bytes. - -type: long +List of organizational units (OU) of issuing certificate authority. -example: 62231 +type: keyword -format: string +example: www.example.com -- -*`package.type`*:: +*`tls.client.x509.issuer.state_or_province`*:: + -- -Type of package. -This should contain the package file type, rather than the package manager name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar. +List of state or province names (ST, S, or P) type: keyword -example: rpm +example: California -- -*`package.version`*:: +*`tls.client.x509.not_after`*:: + -- -Package version +Time at which the certificate is no longer considered valid. -type: keyword +type: date -example: 1.12.9 +example: 2020-07-16 03:15:39+00:00 -- -[float] -=== pe +*`tls.client.x509.not_before`*:: ++ +-- +Time at which the certificate is first considered valid. -These fields contain Windows Portable Executable (PE) metadata. +type: date +example: 2019-08-16 01:40:25+00:00 -*`pe.architecture`*:: +-- + +*`tls.client.x509.public_key_algorithm`*:: + -- -CPU architecture target for the file. +Algorithm used to generate the public key. type: keyword -example: x64 +example: RSA -- -*`pe.company`*:: +*`tls.client.x509.public_key_curve`*:: + -- -Internal company name of the file, provided at compile-time. +The curve used by the elliptic curve public key algorithm. This is algorithm specific. type: keyword -example: Microsoft Corporation +example: nistp521 -- -*`pe.description`*:: +*`tls.client.x509.public_key_exponent`*:: + -- -Internal description of the file, provided at compile-time. +Exponent used to derive the public key. This is algorithm specific. -type: keyword +type: long -example: Paint +example: 65537 + +Field is not indexed. -- -*`pe.file_version`*:: +*`tls.client.x509.public_key_size`*:: + -- -Internal version of the file, provided at compile-time. +The size of the public key space in bits. -type: keyword +type: long -example: 6.3.9600.17415 +example: 2048 -- -*`pe.imphash`*:: +*`tls.client.x509.serial_number`*:: + -- -A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. -Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. type: keyword -example: 0c6803c4e922103c4dca5963aad36ddf +example: 55FBB9C7DEBF09809D12CCAA -- -*`pe.original_file_name`*:: +*`tls.client.x509.signature_algorithm`*:: + -- -Internal name of the file, provided at compile-time. +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword -example: MSPAINT.EXE +example: SHA256-RSA -- -*`pe.product`*:: +*`tls.client.x509.subject.common_name`*:: + -- -Internal product name of the file, provided at compile-time. +List of common names (CN) of subject. type: keyword -example: Microsoft® Windows® Operating System +example: shared.global.example.net -- -[float] -=== process - -These fields contain information about a process. -These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. - - -*`process.args`*:: +*`tls.client.x509.subject.country`*:: + -- -Array of process arguments, starting with the absolute path to the executable. -May be filtered to protect sensitive information. +List of country (C) code type: keyword -example: ["/usr/bin/ssh", "-l", "user", "10.0.0.16"] +example: US -- -*`process.args_count`*:: +*`tls.client.x509.subject.distinguished_name`*:: + -- -Length of the process.args array. -This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. +Distinguished name (DN) of the certificate subject entity. -type: long +type: keyword -example: 4 +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net -- -*`process.code_signature.exists`*:: +*`tls.client.x509.subject.locality`*:: + -- -Boolean to capture if a signature is present. +List of locality names (L) -type: boolean +type: keyword -example: true +example: San Francisco -- -*`process.code_signature.signing_id`*:: +*`tls.client.x509.subject.organization`*:: + -- -The identifier used to sign the process. -This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. +List of organizations (O) of subject. type: keyword -example: com.apple.xpc.proxy +example: Example, Inc. -- -*`process.code_signature.status`*:: +*`tls.client.x509.subject.organizational_unit`*:: + -- -Additional information about the certificate status. -This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. +List of organizational units (OU) of subject. type: keyword -example: ERROR_UNTRUSTED_ROOT - -- -*`process.code_signature.subject_name`*:: +*`tls.client.x509.subject.state_or_province`*:: + -- -Subject name of the code signer +List of state or province names (ST, S, or P) type: keyword -example: Microsoft Corporation +example: California -- -*`process.code_signature.team_id`*:: +*`tls.client.x509.version_number`*:: + -- -The team identifier used to sign the process. -This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. +Version of x509 format. type: keyword -example: EQHXZ8M8AV +example: 3 -- -*`process.code_signature.trusted`*:: +*`tls.curve`*:: + -- -Stores the trust status of the certificate chain. -Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. +String indicating the curve used for the given cipher, when applicable. -type: boolean +type: keyword -example: true +example: secp256r1 -- -*`process.code_signature.valid`*:: +*`tls.established`*:: + -- -Boolean to capture if the digital signature is verified against the binary content. -Leave unpopulated if a certificate was unchecked. +Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. type: boolean -example: true - -- -*`process.command_line`*:: +*`tls.next_protocol`*:: + -- -Full command line that started the process, including the absolute path to the executable, and all arguments. -Some arguments may be filtered to protect sensitive information. +String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. type: keyword -example: /usr/bin/ssh -l user 10.0.0.16 +example: http/1.1 -- -*`process.command_line.text`*:: +*`tls.resumed`*:: + -- -type: text +Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. + +type: boolean -- -*`process.elf.architecture`*:: +*`tls.server.certificate`*:: + -- -Machine architecture of the ELF file. +PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. type: keyword -example: x86-64 +example: MII... -- -*`process.elf.byte_order`*:: +*`tls.server.certificate_chain`*:: + -- -Byte sequence of ELF file. +Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. type: keyword -example: Little Endian +example: ["MII...", "MII..."] -- -*`process.elf.cpu_type`*:: +*`tls.server.hash.md5`*:: + -- -CPU type of the ELF file. +Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. type: keyword -example: Intel +example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC -- -*`process.elf.creation_date`*:: +*`tls.server.hash.sha1`*:: + -- -Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. +Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. -type: date +type: keyword + +example: 9E393D93138888D288266C2D915214D1D1CCEB2A -- -*`process.elf.exports`*:: +*`tls.server.hash.sha256`*:: + -- -List of exported element names and types. +Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. -type: flattened +type: keyword + +example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 -- -*`process.elf.header.abi_version`*:: +*`tls.server.issuer`*:: + -- -Version of the ELF Application Binary Interface (ABI). +Subject of the issuer of the x.509 certificate presented by the server. type: keyword +example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com + -- -*`process.elf.header.class`*:: +*`tls.server.ja3s`*:: + -- -Header class of the ELF file. +A hash that identifies servers based on how they perform an SSL/TLS handshake. type: keyword +example: 394441ab65754e2207b1e1b457b3641d + -- -*`process.elf.header.data`*:: +*`tls.server.not_after`*:: + -- -Data table of the ELF header. +Timestamp indicating when server certificate is no longer considered valid. -type: keyword +type: date + +example: 2021-01-01T00:00:00.000Z -- -*`process.elf.header.entrypoint`*:: +*`tls.server.not_before`*:: + -- -Header entrypoint of the ELF file. +Timestamp indicating when server certificate is first considered valid. -type: long +type: date -format: string +example: 1970-01-01T00:00:00.000Z -- -*`process.elf.header.object_version`*:: +*`tls.server.subject`*:: + -- -"0x1" for original ELF files. +Subject of the x.509 certificate presented by the server. type: keyword +example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com + -- -*`process.elf.header.os_abi`*:: +*`tls.server.x509.alternative_names`*:: + -- -Application Binary Interface (ABI) of the Linux OS. +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. type: keyword +example: *.elastic.co + -- -*`process.elf.header.type`*:: +*`tls.server.x509.issuer.common_name`*:: + -- -Header type of the ELF file. +List of common name (CN) of issuing certificate authority. type: keyword +example: Example SHA2 High Assurance Server CA + -- -*`process.elf.header.version`*:: +*`tls.server.x509.issuer.country`*:: + -- -Version of the ELF header. +List of country (C) codes type: keyword +example: US + -- -*`process.elf.imports`*:: +*`tls.server.x509.issuer.distinguished_name`*:: + -- -List of imported element names and types. +Distinguished name (DN) of issuing certificate authority. -type: flattened +type: keyword + +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA -- -*`process.elf.sections`*:: +*`tls.server.x509.issuer.locality`*:: + -- -An array containing an object for each section of the ELF file. -The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`. +List of locality names (L) -type: nested +type: keyword + +example: Mountain View -- -*`process.elf.sections.chi2`*:: +*`tls.server.x509.issuer.organization`*:: + -- -Chi-square probability distribution of the section. +List of organizations (O) of issuing certificate authority. -type: long +type: keyword -format: number +example: Example Inc -- -*`process.elf.sections.entropy`*:: +*`tls.server.x509.issuer.organizational_unit`*:: + -- -Shannon entropy calculation from the section. +List of organizational units (OU) of issuing certificate authority. -type: long +type: keyword -format: number +example: www.example.com -- -*`process.elf.sections.flags`*:: +*`tls.server.x509.issuer.state_or_province`*:: + -- -ELF Section List flags. +List of state or province names (ST, S, or P) type: keyword +example: California + -- -*`process.elf.sections.name`*:: +*`tls.server.x509.not_after`*:: + -- -ELF Section List name. +Time at which the certificate is no longer considered valid. -type: keyword +type: date + +example: 2020-07-16 03:15:39+00:00 -- -*`process.elf.sections.physical_offset`*:: +*`tls.server.x509.not_before`*:: + -- -ELF Section List offset. +Time at which the certificate is first considered valid. -type: keyword +type: date + +example: 2019-08-16 01:40:25+00:00 -- -*`process.elf.sections.physical_size`*:: +*`tls.server.x509.public_key_algorithm`*:: + -- -ELF Section List physical size. +Algorithm used to generate the public key. -type: long +type: keyword -format: bytes +example: RSA -- -*`process.elf.sections.type`*:: +*`tls.server.x509.public_key_curve`*:: + -- -ELF Section List type. +The curve used by the elliptic curve public key algorithm. This is algorithm specific. type: keyword +example: nistp521 + -- -*`process.elf.sections.virtual_address`*:: +*`tls.server.x509.public_key_exponent`*:: + -- -ELF Section List virtual address. +Exponent used to derive the public key. This is algorithm specific. type: long -format: string +example: 65537 + +Field is not indexed. -- -*`process.elf.sections.virtual_size`*:: +*`tls.server.x509.public_key_size`*:: + -- -ELF Section List virtual size. +The size of the public key space in bits. type: long -format: string +example: 2048 -- -*`process.elf.segments`*:: +*`tls.server.x509.serial_number`*:: + -- -An array containing an object for each segment of the ELF file. -The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`. +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. -type: nested +type: keyword + +example: 55FBB9C7DEBF09809D12CCAA -- -*`process.elf.segments.sections`*:: +*`tls.server.x509.signature_algorithm`*:: + -- -ELF object segment sections. +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword +example: SHA256-RSA + -- -*`process.elf.segments.type`*:: +*`tls.server.x509.subject.common_name`*:: + -- -ELF object segment type. +List of common names (CN) of subject. type: keyword +example: shared.global.example.net + -- -*`process.elf.shared_libraries`*:: +*`tls.server.x509.subject.country`*:: + -- -List of shared libraries used by this ELF object. +List of country (C) code type: keyword +example: US + -- -*`process.elf.telfhash`*:: +*`tls.server.x509.subject.distinguished_name`*:: + -- -telfhash symbol hash for ELF file. +Distinguished name (DN) of the certificate subject entity. type: keyword +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + -- -*`process.entity_id`*:: +*`tls.server.x509.subject.locality`*:: + -- -Unique identifier for the process. -The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. -Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. +List of locality names (L) type: keyword -example: c2c455d9f99375d +example: San Francisco -- -*`process.executable`*:: +*`tls.server.x509.subject.organization`*:: + -- -Absolute path to the process executable. +List of organizations (O) of subject. type: keyword -example: /usr/bin/ssh +example: Example, Inc. -- -*`process.executable.text`*:: +*`tls.server.x509.subject.organizational_unit`*:: + -- -type: text +List of organizational units (OU) of subject. + +type: keyword -- -*`process.exit_code`*:: +*`tls.server.x509.subject.state_or_province`*:: + -- -The exit code of the process, if this is a termination event. -The field should be absent if there is no exit code for the event (e.g. process start). +List of state or province names (ST, S, or P) -type: long +type: keyword -example: 137 +example: California -- -*`process.hash.md5`*:: +*`tls.server.x509.version_number`*:: + -- -MD5 hash. +Version of x509 format. type: keyword +example: 3 + -- -*`process.hash.sha1`*:: +*`tls.version`*:: + -- -SHA1 hash. +Numeric part of the version parsed from the original string. type: keyword +example: 1.2 + -- -*`process.hash.sha256`*:: +*`tls.version_protocol`*:: + -- -SHA256 hash. +Normalized lowercase protocol name parsed from original string. type: keyword +example: tls + -- -*`process.hash.sha512`*:: +*`span.id`*:: + -- -SHA512 hash. +Unique identifier of the span within the scope of its trace. +A span represents an operation within a transaction, such as a request to another service, or a database query. type: keyword +example: 3ff9a8981b7ccd5a + -- -*`process.hash.ssdeep`*:: +*`trace.id`*:: + -- -SSDEEP hash. +Unique identifier of the trace. +A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. type: keyword +example: 4bf92f3577b34da6a3ce929d0e0e4736 + -- -*`process.name`*:: +*`transaction.id`*:: + -- -Process name. -Sometimes called program name or similar. +Unique identifier of the transaction within the scope of its trace. +A transaction is the highest level of work measured within a service, such as a request to a server. type: keyword -example: ssh +example: 00f067aa0ba902b7 -- -*`process.name.text`*:: -+ --- -type: text +[float] +=== url --- +URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. -*`process.parent.args`*:: + +*`url.domain`*:: + -- -Array of process arguments, starting with the absolute path to the executable. -May be filtered to protect sensitive information. +Domain of the url, such as "www.elastic.co". +In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. +If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. type: keyword -example: ["/usr/bin/ssh", "-l", "user", "10.0.0.16"] +example: www.elastic.co -- -*`process.parent.args_count`*:: +*`url.extension`*:: + -- -Length of the process.args array. -This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. +The field contains the file extension from the original request url, excluding the leading dot. +The file extension is only set if it exists, as not every url has a file extension. +The leading period must not be included. For example, the value must be "png", not ".png". +Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). -type: long +type: keyword -example: 4 +example: png -- -*`process.parent.code_signature.exists`*:: +*`url.fragment`*:: + -- -Boolean to capture if a signature is present. - -type: boolean +Portion of the url after the `#`, such as "top". +The `#` is not part of the fragment. -example: true +type: keyword -- -*`process.parent.code_signature.signing_id`*:: +*`url.full`*:: + -- -The identifier used to sign the process. -This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. +If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. type: keyword -example: com.apple.xpc.proxy +example: https://www.elastic.co:443/search?q=elasticsearch#top -- -*`process.parent.code_signature.status`*:: +*`url.full.text`*:: + -- -Additional information about the certificate status. -This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. - -type: keyword - -example: ERROR_UNTRUSTED_ROOT +type: text -- -*`process.parent.code_signature.subject_name`*:: +*`url.original`*:: + -- -Subject name of the code signer +Unmodified original url as seen in the event source. +Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. +This field is meant to represent the URL as it was observed, complete or not. type: keyword -example: Microsoft Corporation +example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch -- -*`process.parent.code_signature.team_id`*:: +*`url.original.text`*:: + -- -The team identifier used to sign the process. -This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. - -type: keyword - -example: EQHXZ8M8AV +type: text -- -*`process.parent.code_signature.trusted`*:: +*`url.password`*:: + -- -Stores the trust status of the certificate chain. -Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. - -type: boolean +Password of the request. -example: true +type: keyword -- -*`process.parent.code_signature.valid`*:: +*`url.path`*:: + -- -Boolean to capture if the digital signature is verified against the binary content. -Leave unpopulated if a certificate was unchecked. - -type: boolean +Path of the request, such as "/search". -example: true +type: keyword -- -*`process.parent.command_line`*:: +*`url.port`*:: + -- -Full command line that started the process, including the absolute path to the executable, and all arguments. -Some arguments may be filtered to protect sensitive information. +Port of the request, such as 443. -type: keyword +type: long -example: /usr/bin/ssh -l user 10.0.0.16 +example: 443 + +format: string -- -*`process.parent.command_line.text`*:: +*`url.query`*:: + -- -type: text +The query field describes the query string of the request, such as "q=elasticsearch". +The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + +type: keyword -- -*`process.parent.elf.architecture`*:: +*`url.registered_domain`*:: + -- -Machine architecture of the ELF file. +The highest registered url domain, stripped of the subdomain. +For example, the registered domain for "foo.example.com" is "example.com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: x86-64 +example: example.com -- -*`process.parent.elf.byte_order`*:: +*`url.scheme`*:: + -- -Byte sequence of ELF file. +Scheme of the request, such as "https". +Note: The `:` is not part of the scheme. type: keyword -example: Little Endian +example: https -- -*`process.parent.elf.cpu_type`*:: +*`url.subdomain`*:: + -- -CPU type of the ELF file. +The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. +For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. type: keyword -example: Intel +example: east -- -*`process.parent.elf.creation_date`*:: +*`url.top_level_domain`*:: + -- -Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". -type: date +type: keyword + +example: co.uk -- -*`process.parent.elf.exports`*:: +*`url.username`*:: + -- -List of exported element names and types. +Username of the request. -type: flattened +type: keyword -- -*`process.parent.elf.header.abi_version`*:: +[float] +=== user + +The user fields describe information about the user that is relevant to the event. +Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. + + +*`user.changes.domain`*:: + -- -Version of the ELF Application Binary Interface (ABI). +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. type: keyword -- -*`process.parent.elf.header.class`*:: +*`user.changes.email`*:: + -- -Header class of the ELF file. +User email address. type: keyword -- -*`process.parent.elf.header.data`*:: +*`user.changes.full_name`*:: + -- -Data table of the ELF header. +User's full name, if available. type: keyword +example: Albert Einstein + -- -*`process.parent.elf.header.entrypoint`*:: +*`user.changes.full_name.text`*:: + -- -Header entrypoint of the ELF file. - -type: long - -format: string +type: text -- -*`process.parent.elf.header.object_version`*:: +*`user.changes.group.domain`*:: + -- -"0x1" for original ELF files. +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. type: keyword -- -*`process.parent.elf.header.os_abi`*:: +*`user.changes.group.id`*:: + -- -Application Binary Interface (ABI) of the Linux OS. +Unique identifier for the group on the system/platform. type: keyword -- -*`process.parent.elf.header.type`*:: +*`user.changes.group.name`*:: + -- -Header type of the ELF file. +Name of the group. type: keyword -- -*`process.parent.elf.header.version`*:: +*`user.changes.hash`*:: + -- -Version of the ELF header. +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. type: keyword -- -*`process.parent.elf.imports`*:: +*`user.changes.id`*:: + -- -List of imported element names and types. +Unique identifier of the user. -type: flattened +type: keyword -- -*`process.parent.elf.sections`*:: +*`user.changes.name`*:: + -- -An array containing an object for each section of the ELF file. -The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`. +Short name or login of the user. -type: nested +type: keyword + +example: albert -- -*`process.parent.elf.sections.chi2`*:: +*`user.changes.name.text`*:: + -- -Chi-square probability distribution of the section. - -type: long - -format: number +type: text -- -*`process.parent.elf.sections.entropy`*:: +*`user.changes.roles`*:: + -- -Shannon entropy calculation from the section. +Array of user roles at the time of the event. -type: long +type: keyword -format: number +example: ["kibana_admin", "reporting_user"] -- -*`process.parent.elf.sections.flags`*:: +*`user.domain`*:: + -- -ELF Section List flags. +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. type: keyword -- -*`process.parent.elf.sections.name`*:: +*`user.effective.domain`*:: + -- -ELF Section List name. +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. type: keyword -- -*`process.parent.elf.sections.physical_offset`*:: +*`user.effective.email`*:: + -- -ELF Section List offset. +User email address. type: keyword -- -*`process.parent.elf.sections.physical_size`*:: +*`user.effective.full_name`*:: + -- -ELF Section List physical size. +User's full name, if available. -type: long +type: keyword -format: bytes +example: Albert Einstein -- -*`process.parent.elf.sections.type`*:: +*`user.effective.full_name.text`*:: + -- -ELF Section List type. - -type: keyword +type: text -- -*`process.parent.elf.sections.virtual_address`*:: +*`user.effective.group.domain`*:: + -- -ELF Section List virtual address. - -type: long +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. -format: string +type: keyword -- -*`process.parent.elf.sections.virtual_size`*:: +*`user.effective.group.id`*:: + -- -ELF Section List virtual size. - -type: long +Unique identifier for the group on the system/platform. -format: string +type: keyword -- -*`process.parent.elf.segments`*:: +*`user.effective.group.name`*:: + -- -An array containing an object for each segment of the ELF file. -The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`. +Name of the group. -type: nested +type: keyword -- -*`process.parent.elf.segments.sections`*:: +*`user.effective.hash`*:: + -- -ELF object segment sections. +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. type: keyword -- -*`process.parent.elf.segments.type`*:: +*`user.effective.id`*:: + -- -ELF object segment type. +Unique identifier of the user. type: keyword -- -*`process.parent.elf.shared_libraries`*:: +*`user.effective.name`*:: + -- -List of shared libraries used by this ELF object. +Short name or login of the user. type: keyword +example: albert + -- -*`process.parent.elf.telfhash`*:: +*`user.effective.name.text`*:: + -- -telfhash symbol hash for ELF file. - -type: keyword +type: text -- -*`process.parent.entity_id`*:: +*`user.effective.roles`*:: + -- -Unique identifier for the process. -The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. -Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. +Array of user roles at the time of the event. type: keyword -example: c2c455d9f99375d +example: ["kibana_admin", "reporting_user"] -- -*`process.parent.executable`*:: +*`user.email`*:: + -- -Absolute path to the process executable. +User email address. type: keyword -example: /usr/bin/ssh - -- -*`process.parent.executable.text`*:: +*`user.full_name`*:: + -- -type: text +User's full name, if available. --- +type: keyword -*`process.parent.exit_code`*:: -+ --- -The exit code of the process, if this is a termination event. -The field should be absent if there is no exit code for the event (e.g. process start). - -type: long - -example: 137 - --- - -*`process.parent.hash.md5`*:: -+ --- -MD5 hash. - -type: keyword - --- - -*`process.parent.hash.sha1`*:: -+ --- -SHA1 hash. - -type: keyword - --- - -*`process.parent.hash.sha256`*:: -+ --- -SHA256 hash. - -type: keyword - --- - -*`process.parent.hash.sha512`*:: -+ --- -SHA512 hash. - -type: keyword - --- - -*`process.parent.hash.ssdeep`*:: -+ --- -SSDEEP hash. - -type: keyword - --- - -*`process.parent.name`*:: -+ --- -Process name. -Sometimes called program name or similar. - -type: keyword - -example: ssh +example: Albert Einstein -- -*`process.parent.name.text`*:: +*`user.full_name.text`*:: + -- type: text -- -*`process.parent.pe.architecture`*:: -+ --- -CPU architecture target for the file. - -type: keyword - -example: x64 - --- - -*`process.parent.pe.company`*:: -+ --- -Internal company name of the file, provided at compile-time. - -type: keyword - -example: Microsoft Corporation - --- - -*`process.parent.pe.description`*:: +*`user.group.domain`*:: + -- -Internal description of the file, provided at compile-time. +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. type: keyword -example: Paint - -- -*`process.parent.pe.file_version`*:: +*`user.group.id`*:: + -- -Internal version of the file, provided at compile-time. +Unique identifier for the group on the system/platform. type: keyword -example: 6.3.9600.17415 - -- -*`process.parent.pe.imphash`*:: +*`user.group.name`*:: + -- -A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. -Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. +Name of the group. type: keyword -example: 0c6803c4e922103c4dca5963aad36ddf - -- -*`process.parent.pe.original_file_name`*:: +*`user.hash`*:: + -- -Internal name of the file, provided at compile-time. +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. type: keyword -example: MSPAINT.EXE - -- -*`process.parent.pe.product`*:: +*`user.id`*:: + -- -Internal product name of the file, provided at compile-time. +Unique identifier of the user. type: keyword -example: Microsoft® Windows® Operating System - --- - -*`process.parent.pgid`*:: -+ --- -Identifier of the group of processes the process belongs to. - -type: long - -format: string - --- - -*`process.parent.pid`*:: -+ --- -Process id. - -type: long - -example: 4242 - -format: string - --- - -*`process.parent.ppid`*:: -+ --- -Parent process' pid. - -type: long - -example: 4241 - -format: string - -- -*`process.parent.start`*:: -+ --- -The time the process started. - -type: date - -example: 2016-05-23T08:05:34.853Z - --- - -*`process.parent.thread.id`*:: -+ --- -Thread ID. - -type: long - -example: 4242 - -format: string - --- - -*`process.parent.thread.name`*:: +*`user.name`*:: + -- -Thread name. +Short name or login of the user. type: keyword -example: thread-0 - --- - -*`process.parent.title`*:: -+ --- -Process title. -The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - -type: keyword +example: albert -- -*`process.parent.title.text`*:: +*`user.name.text`*:: + -- type: text -- -*`process.parent.uptime`*:: -+ --- -Seconds the process has been up. - -type: long - -example: 1325 - --- - -*`process.parent.working_directory`*:: +*`user.roles`*:: + -- -The working directory of the process. +Array of user roles at the time of the event. type: keyword -example: /home/alice - --- - -*`process.parent.working_directory.text`*:: -+ --- -type: text +example: ["kibana_admin", "reporting_user"] -- -*`process.pe.architecture`*:: +*`user.target.domain`*:: + -- -CPU architecture target for the file. +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. type: keyword -example: x64 - -- -*`process.pe.company`*:: +*`user.target.email`*:: + -- -Internal company name of the file, provided at compile-time. +User email address. type: keyword -example: Microsoft Corporation - -- -*`process.pe.description`*:: +*`user.target.full_name`*:: + -- -Internal description of the file, provided at compile-time. +User's full name, if available. type: keyword -example: Paint +example: Albert Einstein -- -*`process.pe.file_version`*:: +*`user.target.full_name.text`*:: + -- -Internal version of the file, provided at compile-time. - -type: keyword - -example: 6.3.9600.17415 +type: text -- -*`process.pe.imphash`*:: +*`user.target.group.domain`*:: + -- -A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. -Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. type: keyword -example: 0c6803c4e922103c4dca5963aad36ddf - -- -*`process.pe.original_file_name`*:: +*`user.target.group.id`*:: + -- -Internal name of the file, provided at compile-time. +Unique identifier for the group on the system/platform. type: keyword -example: MSPAINT.EXE - -- -*`process.pe.product`*:: +*`user.target.group.name`*:: + -- -Internal product name of the file, provided at compile-time. +Name of the group. type: keyword -example: Microsoft® Windows® Operating System - --- - -*`process.pgid`*:: -+ --- -Identifier of the group of processes the process belongs to. - -type: long - -format: string - --- - -*`process.pid`*:: -+ --- -Process id. - -type: long - -example: 4242 - -format: string - --- - -*`process.ppid`*:: -+ --- -Parent process' pid. - -type: long - -example: 4241 - -format: string - --- - -*`process.start`*:: -+ --- -The time the process started. - -type: date - -example: 2016-05-23T08:05:34.853Z - --- - -*`process.thread.id`*:: -+ --- -Thread ID. - -type: long - -example: 4242 - -format: string - -- -*`process.thread.name`*:: +*`user.target.hash`*:: + -- -Thread name. +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. type: keyword -example: thread-0 - -- -*`process.title`*:: +*`user.target.id`*:: + -- -Process title. -The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. +Unique identifier of the user. type: keyword -- -*`process.title.text`*:: -+ --- -type: text - --- - -*`process.uptime`*:: -+ --- -Seconds the process has been up. - -type: long - -example: 1325 - --- - -*`process.working_directory`*:: +*`user.target.name`*:: + -- -The working directory of the process. +Short name or login of the user. type: keyword -example: /home/alice +example: albert -- -*`process.working_directory.text`*:: +*`user.target.name.text`*:: + -- type: text -- -[float] -=== registry - -Fields related to Windows Registry operations. - - -*`registry.data.bytes`*:: -+ --- -Original bytes written with base64 encoding. -For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values. - -type: keyword - -example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= - --- - -*`registry.data.strings`*:: -+ --- -Content when writing string types. -Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). - -type: keyword - -example: ["C:\rta\red_ttp\bin\myapp.exe"] - --- - -*`registry.data.type`*:: -+ --- -Standard registry type for encoding contents - -type: keyword - -example: REG_SZ - --- - -*`registry.hive`*:: +*`user.target.roles`*:: + -- -Abbreviated name for the hive. +Array of user roles at the time of the event. type: keyword -example: HKLM - --- +example: ["kibana_admin", "reporting_user"] -*`registry.key`*:: -+ -- -Hive-relative path of keys. -type: keyword +[float] +=== user_agent -example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe +The user_agent fields normally come from a browser request. +They often show up in web service logs coming from the parsed user agent string. --- -*`registry.path`*:: +*`user_agent.device.name`*:: + -- -Full path, including hive, key and value +Name of the device. type: keyword -example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger +example: iPhone -- -*`registry.value`*:: +*`user_agent.name`*:: + -- -Name of the value written. +Name of the user agent. type: keyword -example: Debugger - --- - -[float] -=== related - -This field set is meant to facilitate pivoting around a piece of data. -Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. -A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`. - - -*`related.hash`*:: -+ --- -All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - -type: keyword +example: Safari -- -*`related.hosts`*:: +*`user_agent.original`*:: + -- -All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. +Unparsed user_agent string. type: keyword --- - -*`related.ip`*:: -+ --- -All of the IPs seen on your event. - -type: ip - --- - -*`related.user`*:: -+ --- -All the user names or other user identifiers seen on the event. - -type: keyword +example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 -- -[float] -=== rule - -Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events. -Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc. - - -*`rule.author`*:: +*`user_agent.original.text`*:: + -- -Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. - -type: keyword - -example: ["Star-Lord"] +type: text -- -*`rule.category`*:: +*`user_agent.os.family`*:: + -- -A categorization value keyword used by the entity using the rule for detection of this event. +OS family (such as redhat, debian, freebsd, windows). type: keyword -example: Attempted Information Leak +example: debian -- -*`rule.description`*:: +*`user_agent.os.full`*:: + -- -The description of the rule generating the event. - -type: keyword - -example: Block requests to public DNS over HTTPS / TLS protocols - --- - -*`rule.id`*:: -+ --- -A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. - -type: keyword - -example: 101 - --- - -*`rule.license`*:: -+ --- -Name of the license under which the rule used to generate this event is made available. - -type: keyword - -example: Apache 2.0 - --- - -*`rule.name`*:: -+ --- -The name of the rule or signature generating the event. - -type: keyword - -example: BLOCK_DNS_over_TLS - --- - -*`rule.reference`*:: -+ --- -Reference URL to additional information about the rule used to generate this event. -The URL can point to the vendor's documentation about the rule. If that's not available, it can also be a link to a more general page describing this type of alert. - -type: keyword - -example: https://en.wikipedia.org/wiki/DNS_over_TLS - --- - -*`rule.ruleset`*:: -+ --- -Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. - -type: keyword - -example: Standard_Protocol_Filters - --- - -*`rule.uuid`*:: -+ --- -A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. - -type: keyword - -example: 1100110011 - --- - -*`rule.version`*:: -+ --- -The version / revision of the rule being used for analysis. - -type: keyword - -example: 1.1 - --- - -[float] -=== server - -A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records. -For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events. -Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. - - -*`server.address`*:: -+ --- -Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. -Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - -type: keyword - --- - -*`server.as.number`*:: -+ --- -Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - -type: long - -example: 15169 - --- - -*`server.as.organization.name`*:: -+ --- -Organization name. - -type: keyword - -example: Google LLC - --- - -*`server.as.organization.name.text`*:: -+ --- -type: text - --- - -*`server.bytes`*:: -+ --- -Bytes sent from the server to the client. - -type: long - -example: 184 - -format: bytes - --- - -*`server.domain`*:: -+ --- -Server domain. - -type: keyword - --- - -*`server.geo.city_name`*:: -+ --- -City name. - -type: keyword - -example: Montreal - --- - -*`server.geo.continent_code`*:: -+ --- -Two-letter code representing continent's name. - -type: keyword - -example: NA - --- - -*`server.geo.continent_name`*:: -+ --- -Name of the continent. - -type: keyword - -example: North America - --- - -*`server.geo.country_iso_code`*:: -+ --- -Country ISO code. - -type: keyword - -example: CA - --- - -*`server.geo.country_name`*:: -+ --- -Country name. - -type: keyword - -example: Canada - --- - -*`server.geo.location`*:: -+ --- -Longitude and latitude. - -type: geo_point - -example: { "lon": -73.614830, "lat": 45.505918 } - --- - -*`server.geo.name`*:: -+ --- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. - -type: keyword - -example: boston-dc - --- - -*`server.geo.postal_code`*:: -+ --- -Postal code associated with the location. -Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. - -type: keyword - -example: 94040 - --- - -*`server.geo.region_iso_code`*:: -+ --- -Region ISO code. - -type: keyword - -example: CA-QC - --- - -*`server.geo.region_name`*:: -+ --- -Region name. - -type: keyword - -example: Quebec - --- - -*`server.geo.timezone`*:: -+ --- -The time zone of the location, such as IANA time zone name. - -type: keyword - -example: America/Argentina/Buenos_Aires - --- - -*`server.ip`*:: -+ --- -IP address of the server (IPv4 or IPv6). - -type: ip - --- - -*`server.mac`*:: -+ --- -MAC address of the server. -The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - -type: keyword - -example: 00-00-5E-00-53-23 - --- - -*`server.nat.ip`*:: -+ --- -Translated ip of destination based NAT sessions (e.g. internet to private DMZ) -Typically used with load balancers, firewalls, or routers. - -type: ip - --- - -*`server.nat.port`*:: -+ --- -Translated port of destination based NAT sessions (e.g. internet to private DMZ) -Typically used with load balancers, firewalls, or routers. - -type: long - -format: string - --- - -*`server.packets`*:: -+ --- -Packets sent from the server to the client. - -type: long - -example: 12 - --- - -*`server.port`*:: -+ --- -Port of the server. - -type: long - -format: string - --- - -*`server.registered_domain`*:: -+ --- -The highest registered server domain, stripped of the subdomain. -For example, the registered domain for "foo.example.com" is "example.com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - -type: keyword - -example: example.com - --- - -*`server.subdomain`*:: -+ --- -The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. -For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - -type: keyword - -example: east - --- - -*`server.top_level_domain`*:: -+ --- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - -type: keyword - -example: co.uk - --- - -*`server.user.domain`*:: -+ --- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`server.user.email`*:: -+ --- -User email address. - -type: keyword - --- - -*`server.user.full_name`*:: -+ --- -User's full name, if available. - -type: keyword - -example: Albert Einstein - --- - -*`server.user.full_name.text`*:: -+ --- -type: text - --- - -*`server.user.group.domain`*:: -+ --- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`server.user.group.id`*:: -+ --- -Unique identifier for the group on the system/platform. - -type: keyword - --- - -*`server.user.group.name`*:: -+ --- -Name of the group. - -type: keyword - --- - -*`server.user.hash`*:: -+ --- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. - -type: keyword - --- - -*`server.user.id`*:: -+ --- -Unique identifier of the user. - -type: keyword - --- - -*`server.user.name`*:: -+ --- -Short name or login of the user. - -type: keyword - -example: albert - --- - -*`server.user.name.text`*:: -+ --- -type: text - --- - -*`server.user.roles`*:: -+ --- -Array of user roles at the time of the event. - -type: keyword - -example: ["kibana_admin", "reporting_user"] - --- - -[float] -=== service - -The service fields describe the service for or from which the data was collected. -These fields help you find and correlate logs for a specific service and version. - - -*`service.ephemeral_id`*:: -+ --- -Ephemeral identifier of this service (if one exists). -This id normally changes across restarts, but `service.id` does not. - -type: keyword - -example: 8a4f500f - --- - -*`service.id`*:: -+ --- -Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. -This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. -Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. - -type: keyword - -example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6 - --- - -*`service.name`*:: -+ --- -Name of the service data is collected from. -The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. -In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. - -type: keyword - -example: elasticsearch-metrics - --- - -*`service.node.name`*:: -+ --- -Name of a service node. -This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. -In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. - -type: keyword - -example: instance-0000000016 - --- - -*`service.state`*:: -+ --- -Current state of the service. - -type: keyword - --- - -*`service.type`*:: -+ --- -The type of the service data is collected from. -The type can be used to group and correlate logs and metrics from one service type. -Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - -type: keyword - -example: elasticsearch - --- - -*`service.version`*:: -+ --- -Version of the service the data was collected from. -This allows to look at a data set only for a specific version of a service. - -type: keyword - -example: 3.2.4 - --- - -[float] -=== source - -Source fields capture details about the sender of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. -Source fields are usually populated in conjunction with destination fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated. - - -*`source.address`*:: -+ --- -Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. -Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - -type: keyword - --- - -*`source.as.number`*:: -+ --- -Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - -type: long - -example: 15169 - --- - -*`source.as.organization.name`*:: -+ --- -Organization name. - -type: keyword - -example: Google LLC - --- - -*`source.as.organization.name.text`*:: -+ --- -type: text - --- - -*`source.bytes`*:: -+ --- -Bytes sent from the source to the destination. - -type: long - -example: 184 - -format: bytes - --- - -*`source.domain`*:: -+ --- -Source domain. - -type: keyword - --- - -*`source.geo.city_name`*:: -+ --- -City name. - -type: keyword - -example: Montreal - --- - -*`source.geo.continent_code`*:: -+ --- -Two-letter code representing continent's name. - -type: keyword - -example: NA - --- - -*`source.geo.continent_name`*:: -+ --- -Name of the continent. - -type: keyword - -example: North America - --- - -*`source.geo.country_iso_code`*:: -+ --- -Country ISO code. - -type: keyword - -example: CA - --- - -*`source.geo.country_name`*:: -+ --- -Country name. - -type: keyword - -example: Canada - --- - -*`source.geo.location`*:: -+ --- -Longitude and latitude. - -type: geo_point - -example: { "lon": -73.614830, "lat": 45.505918 } - --- - -*`source.geo.name`*:: -+ --- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. - -type: keyword - -example: boston-dc - --- - -*`source.geo.postal_code`*:: -+ --- -Postal code associated with the location. -Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. - -type: keyword - -example: 94040 - --- - -*`source.geo.region_iso_code`*:: -+ --- -Region ISO code. - -type: keyword - -example: CA-QC - --- - -*`source.geo.region_name`*:: -+ --- -Region name. - -type: keyword - -example: Quebec - --- - -*`source.geo.timezone`*:: -+ --- -The time zone of the location, such as IANA time zone name. - -type: keyword - -example: America/Argentina/Buenos_Aires - --- - -*`source.ip`*:: -+ --- -IP address of the source (IPv4 or IPv6). - -type: ip - --- - -*`source.mac`*:: -+ --- -MAC address of the source. -The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - -type: keyword - -example: 00-00-5E-00-53-23 - --- - -*`source.nat.ip`*:: -+ --- -Translated ip of source based NAT sessions (e.g. internal client to internet) -Typically connections traversing load balancers, firewalls, or routers. - -type: ip - --- - -*`source.nat.port`*:: -+ --- -Translated port of source based NAT sessions. (e.g. internal client to internet) -Typically used with load balancers, firewalls, or routers. - -type: long - -format: string - --- - -*`source.packets`*:: -+ --- -Packets sent from the source to the destination. - -type: long - -example: 12 - --- - -*`source.port`*:: -+ --- -Port of the source. - -type: long - -format: string - --- - -*`source.registered_domain`*:: -+ --- -The highest registered source domain, stripped of the subdomain. -For example, the registered domain for "foo.example.com" is "example.com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - -type: keyword - -example: example.com - --- - -*`source.subdomain`*:: -+ --- -The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. -For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - -type: keyword - -example: east - --- - -*`source.top_level_domain`*:: -+ --- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - -type: keyword - -example: co.uk - --- - -*`source.user.domain`*:: -+ --- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`source.user.email`*:: -+ --- -User email address. - -type: keyword - --- - -*`source.user.full_name`*:: -+ --- -User's full name, if available. - -type: keyword - -example: Albert Einstein - --- - -*`source.user.full_name.text`*:: -+ --- -type: text - --- - -*`source.user.group.domain`*:: -+ --- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`source.user.group.id`*:: -+ --- -Unique identifier for the group on the system/platform. - -type: keyword - --- - -*`source.user.group.name`*:: -+ --- -Name of the group. - -type: keyword - --- - -*`source.user.hash`*:: -+ --- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. - -type: keyword - --- - -*`source.user.id`*:: -+ --- -Unique identifier of the user. - -type: keyword - --- - -*`source.user.name`*:: -+ --- -Short name or login of the user. - -type: keyword - -example: albert - --- - -*`source.user.name.text`*:: -+ --- -type: text - --- - -*`source.user.roles`*:: -+ --- -Array of user roles at the time of the event. - -type: keyword - -example: ["kibana_admin", "reporting_user"] - --- - -[float] -=== threat - -Fields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework. -These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service"). - - -*`threat.enrichments`*:: -+ --- -A list of associated indicators objects enriching the event, and the context of that association/enrichment. - -type: nested - --- - -*`threat.enrichments.indicator`*:: -+ --- -Object containing associated indicators enriching the event. - -type: object - --- - -*`threat.enrichments.indicator.as.number`*:: -+ --- -Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - -type: long - -example: 15169 - --- - -*`threat.enrichments.indicator.as.organization.name`*:: -+ --- -Organization name. - -type: keyword - -example: Google LLC - --- - -*`threat.enrichments.indicator.as.organization.name.text`*:: -+ --- -type: text - --- - -*`threat.enrichments.indicator.confidence`*:: -+ --- -Identifies the confidence rating assigned by the provider using STIX confidence scales. Expected values: - * Not Specified, None, Low, Medium, High - * 0-10 - * Admirality Scale (1-6) - * DNI Scale (5-95) - * WEP Scale (Impossible - Certain) - -type: keyword - -example: High - --- - -*`threat.enrichments.indicator.description`*:: -+ --- -Describes the type of action conducted by the threat. - -type: keyword - -example: IP x.x.x.x was observed delivering the Angler EK. - --- - -*`threat.enrichments.indicator.email.address`*:: -+ --- -Identifies a threat indicator as an email address (irrespective of direction). - -type: keyword - -example: phish@example.com - --- - -*`threat.enrichments.indicator.file.accessed`*:: -+ --- -Last time the file was accessed. -Note that not all filesystems keep track of access time. - -type: date - --- - -*`threat.enrichments.indicator.file.attributes`*:: -+ --- -Array of file attributes. -Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. - -type: keyword - -example: ["readonly", "system"] - --- - -*`threat.enrichments.indicator.file.code_signature.exists`*:: -+ --- -Boolean to capture if a signature is present. - -type: boolean - -example: true - --- - -*`threat.enrichments.indicator.file.code_signature.signing_id`*:: -+ --- -The identifier used to sign the process. -This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. - -type: keyword - -example: com.apple.xpc.proxy - --- - -*`threat.enrichments.indicator.file.code_signature.status`*:: -+ --- -Additional information about the certificate status. -This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. - -type: keyword - -example: ERROR_UNTRUSTED_ROOT - --- - -*`threat.enrichments.indicator.file.code_signature.subject_name`*:: -+ --- -Subject name of the code signer - -type: keyword - -example: Microsoft Corporation - --- - -*`threat.enrichments.indicator.file.code_signature.team_id`*:: -+ --- -The team identifier used to sign the process. -This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. - -type: keyword - -example: EQHXZ8M8AV - --- - -*`threat.enrichments.indicator.file.code_signature.trusted`*:: -+ --- -Stores the trust status of the certificate chain. -Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. - -type: boolean - -example: true - --- - -*`threat.enrichments.indicator.file.code_signature.valid`*:: -+ --- -Boolean to capture if the digital signature is verified against the binary content. -Leave unpopulated if a certificate was unchecked. - -type: boolean - -example: true - --- - -*`threat.enrichments.indicator.file.created`*:: -+ --- -File creation time. -Note that not all filesystems store the creation time. - -type: date - --- - -*`threat.enrichments.indicator.file.ctime`*:: -+ --- -Last time the file attributes or metadata changed. -Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. - -type: date - --- - -*`threat.enrichments.indicator.file.device`*:: -+ --- -Device that is the source of the file. - -type: keyword - -example: sda - --- - -*`threat.enrichments.indicator.file.directory`*:: -+ --- -Directory where the file is located. It should include the drive letter, when appropriate. - -type: keyword - -example: /home/alice - --- - -*`threat.enrichments.indicator.file.drive_letter`*:: -+ --- -Drive letter where the file is located. This field is only relevant on Windows. -The value should be uppercase, and not include the colon. - -type: keyword - -example: C - --- - -*`threat.enrichments.indicator.file.elf.architecture`*:: -+ --- -Machine architecture of the ELF file. - -type: keyword - -example: x86-64 - --- - -*`threat.enrichments.indicator.file.elf.byte_order`*:: -+ --- -Byte sequence of ELF file. - -type: keyword - -example: Little Endian - --- - -*`threat.enrichments.indicator.file.elf.cpu_type`*:: -+ --- -CPU type of the ELF file. - -type: keyword - -example: Intel - --- - -*`threat.enrichments.indicator.file.elf.creation_date`*:: -+ --- -Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. - -type: date - --- - -*`threat.enrichments.indicator.file.elf.exports`*:: -+ --- -List of exported element names and types. - -type: flattened - --- - -*`threat.enrichments.indicator.file.elf.header.abi_version`*:: -+ --- -Version of the ELF Application Binary Interface (ABI). - -type: keyword - --- - -*`threat.enrichments.indicator.file.elf.header.class`*:: -+ --- -Header class of the ELF file. - -type: keyword - --- - -*`threat.enrichments.indicator.file.elf.header.data`*:: -+ --- -Data table of the ELF header. - -type: keyword - --- - -*`threat.enrichments.indicator.file.elf.header.entrypoint`*:: -+ --- -Header entrypoint of the ELF file. - -type: long - -format: string - --- - -*`threat.enrichments.indicator.file.elf.header.object_version`*:: -+ --- -"0x1" for original ELF files. - -type: keyword - --- - -*`threat.enrichments.indicator.file.elf.header.os_abi`*:: -+ --- -Application Binary Interface (ABI) of the Linux OS. - -type: keyword - --- - -*`threat.enrichments.indicator.file.elf.header.type`*:: -+ --- -Header type of the ELF file. - -type: keyword - --- - -*`threat.enrichments.indicator.file.elf.header.version`*:: -+ --- -Version of the ELF header. - -type: keyword - --- - -*`threat.enrichments.indicator.file.elf.imports`*:: -+ --- -List of imported element names and types. - -type: flattened - --- - -*`threat.enrichments.indicator.file.elf.sections`*:: -+ --- -An array containing an object for each section of the ELF file. -The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`. - -type: nested - --- - -*`threat.enrichments.indicator.file.elf.sections.chi2`*:: -+ --- -Chi-square probability distribution of the section. - -type: long - -format: number - --- - -*`threat.enrichments.indicator.file.elf.sections.entropy`*:: -+ --- -Shannon entropy calculation from the section. - -type: long - -format: number - --- - -*`threat.enrichments.indicator.file.elf.sections.flags`*:: -+ --- -ELF Section List flags. - -type: keyword - --- - -*`threat.enrichments.indicator.file.elf.sections.name`*:: -+ --- -ELF Section List name. - -type: keyword - --- - -*`threat.enrichments.indicator.file.elf.sections.physical_offset`*:: -+ --- -ELF Section List offset. - -type: keyword - --- - -*`threat.enrichments.indicator.file.elf.sections.physical_size`*:: -+ --- -ELF Section List physical size. - -type: long - -format: bytes - --- - -*`threat.enrichments.indicator.file.elf.sections.type`*:: -+ --- -ELF Section List type. - -type: keyword - --- - -*`threat.enrichments.indicator.file.elf.sections.virtual_address`*:: -+ --- -ELF Section List virtual address. - -type: long - -format: string - --- - -*`threat.enrichments.indicator.file.elf.sections.virtual_size`*:: -+ --- -ELF Section List virtual size. - -type: long - -format: string - --- - -*`threat.enrichments.indicator.file.elf.segments`*:: -+ --- -An array containing an object for each segment of the ELF file. -The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`. - -type: nested - --- - -*`threat.enrichments.indicator.file.elf.segments.sections`*:: -+ --- -ELF object segment sections. - -type: keyword - --- - -*`threat.enrichments.indicator.file.elf.segments.type`*:: -+ --- -ELF object segment type. - -type: keyword - --- - -*`threat.enrichments.indicator.file.elf.shared_libraries`*:: -+ --- -List of shared libraries used by this ELF object. - -type: keyword - --- - -*`threat.enrichments.indicator.file.elf.telfhash`*:: -+ --- -telfhash symbol hash for ELF file. - -type: keyword - --- - -*`threat.enrichments.indicator.file.extension`*:: -+ --- -File extension, excluding the leading dot. -Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - -type: keyword - -example: png - --- - -*`threat.enrichments.indicator.file.gid`*:: -+ --- -Primary group ID (GID) of the file. - -type: keyword - -example: 1001 - --- - -*`threat.enrichments.indicator.file.group`*:: -+ --- -Primary group name of the file. - -type: keyword - -example: alice - --- - -*`threat.enrichments.indicator.file.inode`*:: -+ --- -Inode representing the file in the filesystem. - -type: keyword - -example: 256383 - --- - -*`threat.enrichments.indicator.file.mime_type`*:: -+ --- -MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. - -type: keyword - --- - -*`threat.enrichments.indicator.file.mode`*:: -+ --- -Mode of the file in octal representation. - -type: keyword - -example: 0640 - --- - -*`threat.enrichments.indicator.file.mtime`*:: -+ --- -Last time the file content was modified. - -type: date - --- - -*`threat.enrichments.indicator.file.name`*:: -+ --- -Name of the file including the extension, without the directory. - -type: keyword - -example: example.png - --- - -*`threat.enrichments.indicator.file.owner`*:: -+ --- -File owner's username. - -type: keyword - -example: alice - --- - -*`threat.enrichments.indicator.file.path`*:: -+ --- -Full path to the file, including the file name. It should include the drive letter, when appropriate. - -type: keyword - -example: /home/alice/example.png - --- - -*`threat.enrichments.indicator.file.path.text`*:: -+ --- -type: text - --- - -*`threat.enrichments.indicator.file.size`*:: -+ --- -File size in bytes. -Only relevant when `file.type` is "file". - -type: long - -example: 16384 - --- - -*`threat.enrichments.indicator.file.target_path`*:: -+ --- -Target path for symlinks. - -type: keyword - --- - -*`threat.enrichments.indicator.file.target_path.text`*:: -+ --- -type: text - --- - -*`threat.enrichments.indicator.file.type`*:: -+ --- -File type (file, dir, or symlink). - -type: keyword - -example: file - --- - -*`threat.enrichments.indicator.file.uid`*:: -+ --- -The user ID (UID) or security identifier (SID) of the file owner. - -type: keyword - -example: 1001 - --- - -*`threat.enrichments.indicator.first_seen`*:: -+ --- -The date and time when intelligence source first reported sighting this indicator. - -type: date - -example: 2020-11-05T17:25:47.000Z - --- - -*`threat.enrichments.indicator.geo.city_name`*:: -+ --- -City name. - -type: keyword - -example: Montreal - --- - -*`threat.enrichments.indicator.geo.continent_code`*:: -+ --- -Two-letter code representing continent's name. - -type: keyword - -example: NA - --- - -*`threat.enrichments.indicator.geo.continent_name`*:: -+ --- -Name of the continent. - -type: keyword - -example: North America - --- - -*`threat.enrichments.indicator.geo.country_iso_code`*:: -+ --- -Country ISO code. - -type: keyword - -example: CA - --- - -*`threat.enrichments.indicator.geo.country_name`*:: -+ --- -Country name. - -type: keyword - -example: Canada - --- - -*`threat.enrichments.indicator.geo.location`*:: -+ --- -Longitude and latitude. - -type: geo_point - -example: { "lon": -73.614830, "lat": 45.505918 } - --- - -*`threat.enrichments.indicator.geo.name`*:: -+ --- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. - -type: keyword - -example: boston-dc - --- - -*`threat.enrichments.indicator.geo.postal_code`*:: -+ --- -Postal code associated with the location. -Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. - -type: keyword - -example: 94040 - --- - -*`threat.enrichments.indicator.geo.region_iso_code`*:: -+ --- -Region ISO code. - -type: keyword - -example: CA-QC - --- - -*`threat.enrichments.indicator.geo.region_name`*:: -+ --- -Region name. - -type: keyword - -example: Quebec - --- - -*`threat.enrichments.indicator.geo.timezone`*:: -+ --- -The time zone of the location, such as IANA time zone name. - -type: keyword - -example: America/Argentina/Buenos_Aires - --- - -*`threat.enrichments.indicator.hash.md5`*:: -+ --- -MD5 hash. - -type: keyword - --- - -*`threat.enrichments.indicator.hash.sha1`*:: -+ --- -SHA1 hash. - -type: keyword - --- - -*`threat.enrichments.indicator.hash.sha256`*:: -+ --- -SHA256 hash. - -type: keyword - --- - -*`threat.enrichments.indicator.hash.sha512`*:: -+ --- -SHA512 hash. - -type: keyword - --- - -*`threat.enrichments.indicator.hash.ssdeep`*:: -+ --- -SSDEEP hash. - -type: keyword - --- - -*`threat.enrichments.indicator.ip`*:: -+ --- -Identifies a threat indicator as an IP address (irrespective of direction). - -type: ip - -example: 1.2.3.4 - --- - -*`threat.enrichments.indicator.last_seen`*:: -+ --- -The date and time when intelligence source last reported sighting this indicator. - -type: date - -example: 2020-11-05T17:25:47.000Z - --- - -*`threat.enrichments.indicator.marking.tlp`*:: -+ --- -Traffic Light Protocol sharing markings. Recommended values are: - * WHITE - * GREEN - * AMBER - * RED - -type: keyword - -example: White - --- - -*`threat.enrichments.indicator.modified_at`*:: -+ --- -The date and time when intelligence source last modified information for this indicator. - -type: date - -example: 2020-11-05T17:25:47.000Z - --- - -*`threat.enrichments.indicator.pe.architecture`*:: -+ --- -CPU architecture target for the file. - -type: keyword - -example: x64 - --- - -*`threat.enrichments.indicator.pe.company`*:: -+ --- -Internal company name of the file, provided at compile-time. - -type: keyword - -example: Microsoft Corporation - --- - -*`threat.enrichments.indicator.pe.description`*:: -+ --- -Internal description of the file, provided at compile-time. - -type: keyword - -example: Paint - --- - -*`threat.enrichments.indicator.pe.file_version`*:: -+ --- -Internal version of the file, provided at compile-time. - -type: keyword - -example: 6.3.9600.17415 - --- - -*`threat.enrichments.indicator.pe.imphash`*:: -+ --- -A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. -Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. - -type: keyword - -example: 0c6803c4e922103c4dca5963aad36ddf - --- - -*`threat.enrichments.indicator.pe.original_file_name`*:: -+ --- -Internal name of the file, provided at compile-time. - -type: keyword - -example: MSPAINT.EXE - --- - -*`threat.enrichments.indicator.pe.product`*:: -+ --- -Internal product name of the file, provided at compile-time. - -type: keyword - -example: Microsoft® Windows® Operating System - --- - -*`threat.enrichments.indicator.port`*:: -+ --- -Identifies a threat indicator as a port number (irrespective of direction). - -type: long - -example: 443 - --- - -*`threat.enrichments.indicator.provider`*:: -+ --- -The name of the indicator's provider. - -type: keyword - -example: lrz_urlhaus - --- - -*`threat.enrichments.indicator.reference`*:: -+ --- -Reference URL linking to additional information about this indicator. - -type: keyword - -example: https://system.example.com/indicator/0001234 - --- - -*`threat.enrichments.indicator.registry.data.bytes`*:: -+ --- -Original bytes written with base64 encoding. -For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values. - -type: keyword - -example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= - --- - -*`threat.enrichments.indicator.registry.data.strings`*:: -+ --- -Content when writing string types. -Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). - -type: keyword - -example: ["C:\rta\red_ttp\bin\myapp.exe"] - --- - -*`threat.enrichments.indicator.registry.data.type`*:: -+ --- -Standard registry type for encoding contents - -type: keyword - -example: REG_SZ - --- - -*`threat.enrichments.indicator.registry.hive`*:: -+ --- -Abbreviated name for the hive. - -type: keyword - -example: HKLM - --- - -*`threat.enrichments.indicator.registry.key`*:: -+ --- -Hive-relative path of keys. - -type: keyword - -example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe - --- - -*`threat.enrichments.indicator.registry.path`*:: -+ --- -Full path, including hive, key and value - -type: keyword - -example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger - --- - -*`threat.enrichments.indicator.registry.value`*:: -+ --- -Name of the value written. - -type: keyword - -example: Debugger - --- - -*`threat.enrichments.indicator.scanner_stats`*:: -+ --- -Count of AV/EDR vendors that successfully detected malicious file or URL. - -type: long - -example: 4 - --- - -*`threat.enrichments.indicator.sightings`*:: -+ --- -Number of times this indicator was observed conducting threat activity. - -type: long - -example: 20 - --- - -*`threat.enrichments.indicator.type`*:: -+ --- -Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: - * autonomous-system - * artifact - * directory - * domain-name - * email-addr - * file - * ipv4-addr - * ipv6-addr - * mac-addr - * mutex - * port - * process - * software - * url - * user-account - * windows-registry-key - * x509-certificate - -type: keyword - -example: ipv4-addr - --- - -*`threat.enrichments.indicator.url.domain`*:: -+ --- -Domain of the url, such as "www.elastic.co". -In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. -If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - -type: keyword - -example: www.elastic.co - --- - -*`threat.enrichments.indicator.url.extension`*:: -+ --- -The field contains the file extension from the original request url, excluding the leading dot. -The file extension is only set if it exists, as not every url has a file extension. -The leading period must not be included. For example, the value must be "png", not ".png". -Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - -type: keyword - -example: png - --- - -*`threat.enrichments.indicator.url.fragment`*:: -+ --- -Portion of the url after the `#`, such as "top". -The `#` is not part of the fragment. - -type: keyword - --- - -*`threat.enrichments.indicator.url.full`*:: -+ --- -If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - -type: keyword - -example: https://www.elastic.co:443/search?q=elasticsearch#top - --- - -*`threat.enrichments.indicator.url.full.text`*:: -+ --- -type: text - --- - -*`threat.enrichments.indicator.url.original`*:: -+ --- -Unmodified original url as seen in the event source. -Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. -This field is meant to represent the URL as it was observed, complete or not. - -type: keyword - -example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch - --- - -*`threat.enrichments.indicator.url.original.text`*:: -+ --- -type: text - --- - -*`threat.enrichments.indicator.url.password`*:: -+ --- -Password of the request. - -type: keyword - --- - -*`threat.enrichments.indicator.url.path`*:: -+ --- -Path of the request, such as "/search". - -type: keyword - --- - -*`threat.enrichments.indicator.url.port`*:: -+ --- -Port of the request, such as 443. - -type: long - -example: 443 - -format: string - --- - -*`threat.enrichments.indicator.url.query`*:: -+ --- -The query field describes the query string of the request, such as "q=elasticsearch". -The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - -type: keyword - --- - -*`threat.enrichments.indicator.url.registered_domain`*:: -+ --- -The highest registered url domain, stripped of the subdomain. -For example, the registered domain for "foo.example.com" is "example.com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - -type: keyword - -example: example.com - --- - -*`threat.enrichments.indicator.url.scheme`*:: -+ --- -Scheme of the request, such as "https". -Note: The `:` is not part of the scheme. - -type: keyword - -example: https - --- - -*`threat.enrichments.indicator.url.subdomain`*:: -+ --- -The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. -For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - -type: keyword - -example: east - --- - -*`threat.enrichments.indicator.url.top_level_domain`*:: -+ --- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - -type: keyword - -example: co.uk - --- - -*`threat.enrichments.indicator.url.username`*:: -+ --- -Username of the request. - -type: keyword - --- - -*`threat.enrichments.indicator.x509.alternative_names`*:: -+ --- -List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. - -type: keyword - -example: *.elastic.co - --- - -*`threat.enrichments.indicator.x509.issuer.common_name`*:: -+ --- -List of common name (CN) of issuing certificate authority. - -type: keyword - -example: Example SHA2 High Assurance Server CA - --- - -*`threat.enrichments.indicator.x509.issuer.country`*:: -+ --- -List of country (C) codes - -type: keyword - -example: US - --- - -*`threat.enrichments.indicator.x509.issuer.distinguished_name`*:: -+ --- -Distinguished name (DN) of issuing certificate authority. - -type: keyword - -example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA - --- - -*`threat.enrichments.indicator.x509.issuer.locality`*:: -+ --- -List of locality names (L) - -type: keyword - -example: Mountain View - --- - -*`threat.enrichments.indicator.x509.issuer.organization`*:: -+ --- -List of organizations (O) of issuing certificate authority. - -type: keyword - -example: Example Inc - --- - -*`threat.enrichments.indicator.x509.issuer.organizational_unit`*:: -+ --- -List of organizational units (OU) of issuing certificate authority. - -type: keyword - -example: www.example.com - --- - -*`threat.enrichments.indicator.x509.issuer.state_or_province`*:: -+ --- -List of state or province names (ST, S, or P) - -type: keyword - -example: California - --- - -*`threat.enrichments.indicator.x509.not_after`*:: -+ --- -Time at which the certificate is no longer considered valid. - -type: date - -example: 2020-07-16 03:15:39+00:00 - --- - -*`threat.enrichments.indicator.x509.not_before`*:: -+ --- -Time at which the certificate is first considered valid. - -type: date - -example: 2019-08-16 01:40:25+00:00 - --- - -*`threat.enrichments.indicator.x509.public_key_algorithm`*:: -+ --- -Algorithm used to generate the public key. - -type: keyword - -example: RSA - --- - -*`threat.enrichments.indicator.x509.public_key_curve`*:: -+ --- -The curve used by the elliptic curve public key algorithm. This is algorithm specific. - -type: keyword - -example: nistp521 - --- - -*`threat.enrichments.indicator.x509.public_key_exponent`*:: -+ --- -Exponent used to derive the public key. This is algorithm specific. - -type: long - -example: 65537 - -Field is not indexed. - --- - -*`threat.enrichments.indicator.x509.public_key_size`*:: -+ --- -The size of the public key space in bits. - -type: long - -example: 2048 - --- - -*`threat.enrichments.indicator.x509.serial_number`*:: -+ --- -Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. - -type: keyword - -example: 55FBB9C7DEBF09809D12CCAA - --- - -*`threat.enrichments.indicator.x509.signature_algorithm`*:: -+ --- -Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. - -type: keyword - -example: SHA256-RSA - --- - -*`threat.enrichments.indicator.x509.subject.common_name`*:: -+ --- -List of common names (CN) of subject. - -type: keyword - -example: shared.global.example.net - --- - -*`threat.enrichments.indicator.x509.subject.country`*:: -+ --- -List of country (C) code - -type: keyword - -example: US - --- - -*`threat.enrichments.indicator.x509.subject.distinguished_name`*:: -+ --- -Distinguished name (DN) of the certificate subject entity. - -type: keyword - -example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net - --- - -*`threat.enrichments.indicator.x509.subject.locality`*:: -+ --- -List of locality names (L) - -type: keyword - -example: San Francisco - --- - -*`threat.enrichments.indicator.x509.subject.organization`*:: -+ --- -List of organizations (O) of subject. - -type: keyword - -example: Example, Inc. - --- - -*`threat.enrichments.indicator.x509.subject.organizational_unit`*:: -+ --- -List of organizational units (OU) of subject. - -type: keyword - --- - -*`threat.enrichments.indicator.x509.subject.state_or_province`*:: -+ --- -List of state or province names (ST, S, or P) - -type: keyword - -example: California - --- - -*`threat.enrichments.indicator.x509.version_number`*:: -+ --- -Version of x509 format. - -type: keyword - -example: 3 - --- - -*`threat.enrichments.matched.atomic`*:: -+ --- -Identifies the atomic indicator value that matched a local environment endpoint or network event. - -type: keyword - -example: bad-domain.com - --- - -*`threat.enrichments.matched.field`*:: -+ --- -Identifies the field of the atomic indicator that matched a local environment endpoint or network event. - -type: keyword - -example: file.hash.sha256 - --- - -*`threat.enrichments.matched.id`*:: -+ --- -Identifies the _id of the indicator document enriching the event. - -type: keyword - -example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 - --- - -*`threat.enrichments.matched.index`*:: -+ --- -Identifies the _index of the indicator document enriching the event. - -type: keyword - -example: filebeat-8.0.0-2021.05.23-000011 - --- - -*`threat.enrichments.matched.type`*:: -+ --- -Identifies the type of match that caused the event to be enriched with the given indicator - -type: keyword - -example: indicator_match_rule - --- - -*`threat.framework`*:: -+ --- -Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. - -type: keyword - -example: MITRE ATT&CK - --- - -*`threat.group.alias`*:: -+ --- -The alias(es) of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group alias(es). - -type: keyword - -example: [ "Magecart Group 6" ] - --- - -*`threat.group.id`*:: -+ --- -The id of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group id. - -type: keyword - -example: G0037 - --- - -*`threat.group.name`*:: -+ --- -The name of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group name. - -type: keyword - -example: FIN6 - --- - -*`threat.group.reference`*:: -+ --- -The reference URL of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group reference URL. - -type: keyword - -example: https://attack.mitre.org/groups/G0037/ - --- - -*`threat.indicator.as.number`*:: -+ --- -Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - -type: long - -example: 15169 - --- - -*`threat.indicator.as.organization.name`*:: -+ --- -Organization name. - -type: keyword - -example: Google LLC - --- - -*`threat.indicator.as.organization.name.text`*:: -+ --- -type: text - --- - -*`threat.indicator.confidence`*:: -+ --- -Identifies the confidence rating assigned by the provider using STIX confidence scales. -Recommended values: - * Not Specified, None, Low, Medium, High - * 0-10 - * Admirality Scale (1-6) - * DNI Scale (5-95) - * WEP Scale (Impossible - Certain) - -type: keyword - -example: High - --- - -*`threat.indicator.description`*:: -+ --- -Describes the type of action conducted by the threat. - -type: keyword - -example: IP x.x.x.x was observed delivering the Angler EK. - --- - -*`threat.indicator.email.address`*:: -+ --- -Identifies a threat indicator as an email address (irrespective of direction). - -type: keyword - -example: phish@example.com - --- - -*`threat.indicator.file.accessed`*:: -+ --- -Last time the file was accessed. -Note that not all filesystems keep track of access time. - -type: date - --- - -*`threat.indicator.file.attributes`*:: -+ --- -Array of file attributes. -Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. - -type: keyword - -example: ["readonly", "system"] - --- - -*`threat.indicator.file.code_signature.exists`*:: -+ --- -Boolean to capture if a signature is present. - -type: boolean - -example: true - --- - -*`threat.indicator.file.code_signature.signing_id`*:: -+ --- -The identifier used to sign the process. -This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. - -type: keyword - -example: com.apple.xpc.proxy - --- - -*`threat.indicator.file.code_signature.status`*:: -+ --- -Additional information about the certificate status. -This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. - -type: keyword - -example: ERROR_UNTRUSTED_ROOT - --- - -*`threat.indicator.file.code_signature.subject_name`*:: -+ --- -Subject name of the code signer - -type: keyword - -example: Microsoft Corporation - --- - -*`threat.indicator.file.code_signature.team_id`*:: -+ --- -The team identifier used to sign the process. -This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. - -type: keyword - -example: EQHXZ8M8AV - --- - -*`threat.indicator.file.code_signature.trusted`*:: -+ --- -Stores the trust status of the certificate chain. -Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. - -type: boolean - -example: true - --- - -*`threat.indicator.file.code_signature.valid`*:: -+ --- -Boolean to capture if the digital signature is verified against the binary content. -Leave unpopulated if a certificate was unchecked. - -type: boolean - -example: true - --- - -*`threat.indicator.file.created`*:: -+ --- -File creation time. -Note that not all filesystems store the creation time. - -type: date - --- - -*`threat.indicator.file.ctime`*:: -+ --- -Last time the file attributes or metadata changed. -Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. - -type: date - --- - -*`threat.indicator.file.device`*:: -+ --- -Device that is the source of the file. - -type: keyword - -example: sda - --- - -*`threat.indicator.file.directory`*:: -+ --- -Directory where the file is located. It should include the drive letter, when appropriate. - -type: keyword - -example: /home/alice - --- - -*`threat.indicator.file.drive_letter`*:: -+ --- -Drive letter where the file is located. This field is only relevant on Windows. -The value should be uppercase, and not include the colon. - -type: keyword - -example: C - --- - -*`threat.indicator.file.elf.architecture`*:: -+ --- -Machine architecture of the ELF file. - -type: keyword - -example: x86-64 - --- - -*`threat.indicator.file.elf.byte_order`*:: -+ --- -Byte sequence of ELF file. - -type: keyword - -example: Little Endian - --- - -*`threat.indicator.file.elf.cpu_type`*:: -+ --- -CPU type of the ELF file. - -type: keyword - -example: Intel - --- - -*`threat.indicator.file.elf.creation_date`*:: -+ --- -Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. - -type: date - --- - -*`threat.indicator.file.elf.exports`*:: -+ --- -List of exported element names and types. - -type: flattened - --- - -*`threat.indicator.file.elf.header.abi_version`*:: -+ --- -Version of the ELF Application Binary Interface (ABI). - -type: keyword - --- - -*`threat.indicator.file.elf.header.class`*:: -+ --- -Header class of the ELF file. - -type: keyword - --- - -*`threat.indicator.file.elf.header.data`*:: -+ --- -Data table of the ELF header. - -type: keyword - --- - -*`threat.indicator.file.elf.header.entrypoint`*:: -+ --- -Header entrypoint of the ELF file. - -type: long - -format: string - --- - -*`threat.indicator.file.elf.header.object_version`*:: -+ --- -"0x1" for original ELF files. - -type: keyword - --- - -*`threat.indicator.file.elf.header.os_abi`*:: -+ --- -Application Binary Interface (ABI) of the Linux OS. - -type: keyword - --- - -*`threat.indicator.file.elf.header.type`*:: -+ --- -Header type of the ELF file. - -type: keyword - --- - -*`threat.indicator.file.elf.header.version`*:: -+ --- -Version of the ELF header. - -type: keyword - --- - -*`threat.indicator.file.elf.imports`*:: -+ --- -List of imported element names and types. - -type: flattened - --- - -*`threat.indicator.file.elf.sections`*:: -+ --- -An array containing an object for each section of the ELF file. -The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`. - -type: nested - --- - -*`threat.indicator.file.elf.sections.chi2`*:: -+ --- -Chi-square probability distribution of the section. - -type: long - -format: number - --- - -*`threat.indicator.file.elf.sections.entropy`*:: -+ --- -Shannon entropy calculation from the section. - -type: long - -format: number - --- - -*`threat.indicator.file.elf.sections.flags`*:: -+ --- -ELF Section List flags. - -type: keyword - --- - -*`threat.indicator.file.elf.sections.name`*:: -+ --- -ELF Section List name. - -type: keyword - --- - -*`threat.indicator.file.elf.sections.physical_offset`*:: -+ --- -ELF Section List offset. - -type: keyword - --- - -*`threat.indicator.file.elf.sections.physical_size`*:: -+ --- -ELF Section List physical size. - -type: long - -format: bytes - --- - -*`threat.indicator.file.elf.sections.type`*:: -+ --- -ELF Section List type. - -type: keyword - --- - -*`threat.indicator.file.elf.sections.virtual_address`*:: -+ --- -ELF Section List virtual address. - -type: long - -format: string - --- - -*`threat.indicator.file.elf.sections.virtual_size`*:: -+ --- -ELF Section List virtual size. - -type: long - -format: string - --- - -*`threat.indicator.file.elf.segments`*:: -+ --- -An array containing an object for each segment of the ELF file. -The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`. - -type: nested - --- - -*`threat.indicator.file.elf.segments.sections`*:: -+ --- -ELF object segment sections. - -type: keyword - --- - -*`threat.indicator.file.elf.segments.type`*:: -+ --- -ELF object segment type. - -type: keyword - --- - -*`threat.indicator.file.elf.shared_libraries`*:: -+ --- -List of shared libraries used by this ELF object. - -type: keyword - --- - -*`threat.indicator.file.elf.telfhash`*:: -+ --- -telfhash symbol hash for ELF file. - -type: keyword - --- - -*`threat.indicator.file.extension`*:: -+ --- -File extension, excluding the leading dot. -Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - -type: keyword - -example: png - --- - -*`threat.indicator.file.gid`*:: -+ --- -Primary group ID (GID) of the file. - -type: keyword - -example: 1001 - --- - -*`threat.indicator.file.group`*:: -+ --- -Primary group name of the file. - -type: keyword - -example: alice - --- - -*`threat.indicator.file.inode`*:: -+ --- -Inode representing the file in the filesystem. - -type: keyword - -example: 256383 - --- - -*`threat.indicator.file.mime_type`*:: -+ --- -MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. - -type: keyword - --- - -*`threat.indicator.file.mode`*:: -+ --- -Mode of the file in octal representation. - -type: keyword - -example: 0640 - --- - -*`threat.indicator.file.mtime`*:: -+ --- -Last time the file content was modified. - -type: date - --- - -*`threat.indicator.file.name`*:: -+ --- -Name of the file including the extension, without the directory. - -type: keyword - -example: example.png - --- - -*`threat.indicator.file.owner`*:: -+ --- -File owner's username. - -type: keyword - -example: alice - --- - -*`threat.indicator.file.path`*:: -+ --- -Full path to the file, including the file name. It should include the drive letter, when appropriate. - -type: keyword - -example: /home/alice/example.png - --- - -*`threat.indicator.file.path.text`*:: -+ --- -type: text - --- - -*`threat.indicator.file.size`*:: -+ --- -File size in bytes. -Only relevant when `file.type` is "file". - -type: long - -example: 16384 - --- - -*`threat.indicator.file.target_path`*:: -+ --- -Target path for symlinks. - -type: keyword - --- - -*`threat.indicator.file.target_path.text`*:: -+ --- -type: text - --- - -*`threat.indicator.file.type`*:: -+ --- -File type (file, dir, or symlink). - -type: keyword - -example: file - --- - -*`threat.indicator.file.uid`*:: -+ --- -The user ID (UID) or security identifier (SID) of the file owner. - -type: keyword - -example: 1001 - --- - -*`threat.indicator.first_seen`*:: -+ --- -The date and time when intelligence source first reported sighting this indicator. - -type: date - -example: 2020-11-05T17:25:47.000Z - --- - -*`threat.indicator.geo.city_name`*:: -+ --- -City name. - -type: keyword - -example: Montreal - --- - -*`threat.indicator.geo.continent_code`*:: -+ --- -Two-letter code representing continent's name. - -type: keyword - -example: NA - --- - -*`threat.indicator.geo.continent_name`*:: -+ --- -Name of the continent. - -type: keyword - -example: North America - --- - -*`threat.indicator.geo.country_iso_code`*:: -+ --- -Country ISO code. - -type: keyword - -example: CA - --- - -*`threat.indicator.geo.country_name`*:: -+ --- -Country name. - -type: keyword - -example: Canada - --- - -*`threat.indicator.geo.location`*:: -+ --- -Longitude and latitude. - -type: geo_point - -example: { "lon": -73.614830, "lat": 45.505918 } - --- - -*`threat.indicator.geo.name`*:: -+ --- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. - -type: keyword - -example: boston-dc - --- - -*`threat.indicator.geo.postal_code`*:: -+ --- -Postal code associated with the location. -Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. - -type: keyword - -example: 94040 - --- - -*`threat.indicator.geo.region_iso_code`*:: -+ --- -Region ISO code. - -type: keyword - -example: CA-QC - --- - -*`threat.indicator.geo.region_name`*:: -+ --- -Region name. - -type: keyword - -example: Quebec - --- - -*`threat.indicator.geo.timezone`*:: -+ --- -The time zone of the location, such as IANA time zone name. - -type: keyword - -example: America/Argentina/Buenos_Aires - --- - -*`threat.indicator.hash.md5`*:: -+ --- -MD5 hash. - -type: keyword - --- - -*`threat.indicator.hash.sha1`*:: -+ --- -SHA1 hash. - -type: keyword - --- - -*`threat.indicator.hash.sha256`*:: -+ --- -SHA256 hash. - -type: keyword - --- - -*`threat.indicator.hash.sha512`*:: -+ --- -SHA512 hash. - -type: keyword - --- - -*`threat.indicator.hash.ssdeep`*:: -+ --- -SSDEEP hash. - -type: keyword - --- - -*`threat.indicator.ip`*:: -+ --- -Identifies a threat indicator as an IP address (irrespective of direction). - -type: ip - -example: 1.2.3.4 - --- - -*`threat.indicator.last_seen`*:: -+ --- -The date and time when intelligence source last reported sighting this indicator. - -type: date - -example: 2020-11-05T17:25:47.000Z - --- - -*`threat.indicator.marking.tlp`*:: -+ --- -Traffic Light Protocol sharing markings. -Recommended values are: - * WHITE - * GREEN - * AMBER - * RED - -type: keyword - -example: WHITE - --- - -*`threat.indicator.modified_at`*:: -+ --- -The date and time when intelligence source last modified information for this indicator. - -type: date - -example: 2020-11-05T17:25:47.000Z - --- - -*`threat.indicator.pe.architecture`*:: -+ --- -CPU architecture target for the file. - -type: keyword - -example: x64 - --- - -*`threat.indicator.pe.company`*:: -+ --- -Internal company name of the file, provided at compile-time. - -type: keyword - -example: Microsoft Corporation - --- - -*`threat.indicator.pe.description`*:: -+ --- -Internal description of the file, provided at compile-time. - -type: keyword - -example: Paint - --- - -*`threat.indicator.pe.file_version`*:: -+ --- -Internal version of the file, provided at compile-time. - -type: keyword - -example: 6.3.9600.17415 - --- - -*`threat.indicator.pe.imphash`*:: -+ --- -A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. -Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. - -type: keyword - -example: 0c6803c4e922103c4dca5963aad36ddf - --- - -*`threat.indicator.pe.original_file_name`*:: -+ --- -Internal name of the file, provided at compile-time. - -type: keyword - -example: MSPAINT.EXE - --- - -*`threat.indicator.pe.product`*:: -+ --- -Internal product name of the file, provided at compile-time. - -type: keyword - -example: Microsoft® Windows® Operating System - --- - -*`threat.indicator.port`*:: -+ --- -Identifies a threat indicator as a port number (irrespective of direction). - -type: long - -example: 443 - --- - -*`threat.indicator.provider`*:: -+ --- -The name of the indicator's provider. - -type: keyword - -example: lrz_urlhaus - --- - -*`threat.indicator.reference`*:: -+ --- -Reference URL linking to additional information about this indicator. - -type: keyword - -example: https://system.example.com/indicator/0001234 - --- - -*`threat.indicator.registry.data.bytes`*:: -+ --- -Original bytes written with base64 encoding. -For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values. - -type: keyword - -example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= - --- - -*`threat.indicator.registry.data.strings`*:: -+ --- -Content when writing string types. -Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). - -type: keyword - -example: ["C:\rta\red_ttp\bin\myapp.exe"] - --- - -*`threat.indicator.registry.data.type`*:: -+ --- -Standard registry type for encoding contents - -type: keyword - -example: REG_SZ - --- - -*`threat.indicator.registry.hive`*:: -+ --- -Abbreviated name for the hive. - -type: keyword - -example: HKLM - --- - -*`threat.indicator.registry.key`*:: -+ --- -Hive-relative path of keys. - -type: keyword - -example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe - --- - -*`threat.indicator.registry.path`*:: -+ --- -Full path, including hive, key and value - -type: keyword - -example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger - --- - -*`threat.indicator.registry.value`*:: -+ --- -Name of the value written. - -type: keyword - -example: Debugger - --- - -*`threat.indicator.scanner_stats`*:: -+ --- -Count of AV/EDR vendors that successfully detected malicious file or URL. - -type: long - -example: 4 - --- - -*`threat.indicator.sightings`*:: -+ --- -Number of times this indicator was observed conducting threat activity. - -type: long - -example: 20 - --- - -*`threat.indicator.type`*:: -+ --- -Type of indicator as represented by Cyber Observable in STIX 2.0. -Recommended values: - * autonomous-system - * artifact - * directory - * domain-name - * email-addr - * file - * ipv4-addr - * ipv6-addr - * mac-addr - * mutex - * port - * process - * software - * url - * user-account - * windows-registry-key - * x509-certificate - -type: keyword - -example: ipv4-addr - --- - -*`threat.indicator.url.domain`*:: -+ --- -Domain of the url, such as "www.elastic.co". -In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. -If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - -type: keyword - -example: www.elastic.co - --- - -*`threat.indicator.url.extension`*:: -+ --- -The field contains the file extension from the original request url, excluding the leading dot. -The file extension is only set if it exists, as not every url has a file extension. -The leading period must not be included. For example, the value must be "png", not ".png". -Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - -type: keyword - -example: png - --- - -*`threat.indicator.url.fragment`*:: -+ --- -Portion of the url after the `#`, such as "top". -The `#` is not part of the fragment. - -type: keyword - --- - -*`threat.indicator.url.full`*:: -+ --- -If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - -type: keyword - -example: https://www.elastic.co:443/search?q=elasticsearch#top - --- - -*`threat.indicator.url.full.text`*:: -+ --- -type: text - --- - -*`threat.indicator.url.original`*:: -+ --- -Unmodified original url as seen in the event source. -Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. -This field is meant to represent the URL as it was observed, complete or not. - -type: keyword - -example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch - --- - -*`threat.indicator.url.original.text`*:: -+ --- -type: text - --- - -*`threat.indicator.url.password`*:: -+ --- -Password of the request. - -type: keyword - --- - -*`threat.indicator.url.path`*:: -+ --- -Path of the request, such as "/search". - -type: keyword - --- - -*`threat.indicator.url.port`*:: -+ --- -Port of the request, such as 443. - -type: long - -example: 443 - -format: string - --- - -*`threat.indicator.url.query`*:: -+ --- -The query field describes the query string of the request, such as "q=elasticsearch". -The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - -type: keyword - --- - -*`threat.indicator.url.registered_domain`*:: -+ --- -The highest registered url domain, stripped of the subdomain. -For example, the registered domain for "foo.example.com" is "example.com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - -type: keyword - -example: example.com - --- - -*`threat.indicator.url.scheme`*:: -+ --- -Scheme of the request, such as "https". -Note: The `:` is not part of the scheme. - -type: keyword - -example: https - --- - -*`threat.indicator.url.subdomain`*:: -+ --- -The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. -For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - -type: keyword - -example: east - --- - -*`threat.indicator.url.top_level_domain`*:: -+ --- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - -type: keyword - -example: co.uk - --- - -*`threat.indicator.url.username`*:: -+ --- -Username of the request. - -type: keyword - --- - -*`threat.indicator.x509.alternative_names`*:: -+ --- -List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. - -type: keyword - -example: *.elastic.co - --- - -*`threat.indicator.x509.issuer.common_name`*:: -+ --- -List of common name (CN) of issuing certificate authority. - -type: keyword - -example: Example SHA2 High Assurance Server CA - --- - -*`threat.indicator.x509.issuer.country`*:: -+ --- -List of country (C) codes - -type: keyword - -example: US - --- - -*`threat.indicator.x509.issuer.distinguished_name`*:: -+ --- -Distinguished name (DN) of issuing certificate authority. - -type: keyword - -example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA - --- - -*`threat.indicator.x509.issuer.locality`*:: -+ --- -List of locality names (L) - -type: keyword - -example: Mountain View - --- - -*`threat.indicator.x509.issuer.organization`*:: -+ --- -List of organizations (O) of issuing certificate authority. - -type: keyword - -example: Example Inc - --- - -*`threat.indicator.x509.issuer.organizational_unit`*:: -+ --- -List of organizational units (OU) of issuing certificate authority. - -type: keyword - -example: www.example.com - --- - -*`threat.indicator.x509.issuer.state_or_province`*:: -+ --- -List of state or province names (ST, S, or P) - -type: keyword - -example: California - --- - -*`threat.indicator.x509.not_after`*:: -+ --- -Time at which the certificate is no longer considered valid. - -type: date - -example: 2020-07-16 03:15:39+00:00 - --- - -*`threat.indicator.x509.not_before`*:: -+ --- -Time at which the certificate is first considered valid. - -type: date - -example: 2019-08-16 01:40:25+00:00 - --- - -*`threat.indicator.x509.public_key_algorithm`*:: -+ --- -Algorithm used to generate the public key. - -type: keyword - -example: RSA - --- - -*`threat.indicator.x509.public_key_curve`*:: -+ --- -The curve used by the elliptic curve public key algorithm. This is algorithm specific. - -type: keyword - -example: nistp521 - --- - -*`threat.indicator.x509.public_key_exponent`*:: -+ --- -Exponent used to derive the public key. This is algorithm specific. - -type: long - -example: 65537 - -Field is not indexed. - --- - -*`threat.indicator.x509.public_key_size`*:: -+ --- -The size of the public key space in bits. - -type: long - -example: 2048 - --- - -*`threat.indicator.x509.serial_number`*:: -+ --- -Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. - -type: keyword - -example: 55FBB9C7DEBF09809D12CCAA - --- - -*`threat.indicator.x509.signature_algorithm`*:: -+ --- -Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. - -type: keyword - -example: SHA256-RSA - --- - -*`threat.indicator.x509.subject.common_name`*:: -+ --- -List of common names (CN) of subject. - -type: keyword - -example: shared.global.example.net - --- - -*`threat.indicator.x509.subject.country`*:: -+ --- -List of country (C) code - -type: keyword - -example: US - --- - -*`threat.indicator.x509.subject.distinguished_name`*:: -+ --- -Distinguished name (DN) of the certificate subject entity. - -type: keyword - -example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net - --- - -*`threat.indicator.x509.subject.locality`*:: -+ --- -List of locality names (L) - -type: keyword - -example: San Francisco - --- - -*`threat.indicator.x509.subject.organization`*:: -+ --- -List of organizations (O) of subject. - -type: keyword - -example: Example, Inc. - --- - -*`threat.indicator.x509.subject.organizational_unit`*:: -+ --- -List of organizational units (OU) of subject. - -type: keyword - --- - -*`threat.indicator.x509.subject.state_or_province`*:: -+ --- -List of state or province names (ST, S, or P) - -type: keyword - -example: California - --- - -*`threat.indicator.x509.version_number`*:: -+ --- -Version of x509 format. - -type: keyword - -example: 3 - --- - -*`threat.software.id`*:: -+ --- -The id of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software id. - -type: keyword - -example: S0552 - --- - -*`threat.software.name`*:: -+ --- -The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software name. - -type: keyword - -example: AdFind - --- - -*`threat.software.platforms`*:: -+ --- -The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software platforms. -Recommended Values: - * AWS - * Azure - * Azure AD - * GCP - * Linux - * macOS - * Network - * Office 365 - * SaaS - * Windows - -type: keyword - -example: [ "Windows" ] - --- - -*`threat.software.reference`*:: -+ --- -The reference URL of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software reference URL. - -type: keyword - -example: https://attack.mitre.org/software/S0552/ - --- - -*`threat.software.type`*:: -+ --- -The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software type. -Recommended values - * Malware - * Tool - -type: keyword - -example: Tool - --- - -*`threat.tactic.id`*:: -+ --- -The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) - -type: keyword - -example: TA0002 - --- - -*`threat.tactic.name`*:: -+ --- -Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) - -type: keyword - -example: Execution - --- - -*`threat.tactic.reference`*:: -+ --- -The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) - -type: keyword - -example: https://attack.mitre.org/tactics/TA0002/ - --- - -*`threat.technique.id`*:: -+ --- -The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) - -type: keyword - -example: T1059 - --- - -*`threat.technique.name`*:: -+ --- -The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) - -type: keyword - -example: Command and Scripting Interpreter - --- - -*`threat.technique.name.text`*:: -+ --- -type: text - --- - -*`threat.technique.reference`*:: -+ --- -The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) - -type: keyword - -example: https://attack.mitre.org/techniques/T1059/ - --- - -*`threat.technique.subtechnique.id`*:: -+ --- -The full id of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/) - -type: keyword - -example: T1059.001 - --- - -*`threat.technique.subtechnique.name`*:: -+ --- -The name of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/) - -type: keyword - -example: PowerShell - --- - -*`threat.technique.subtechnique.name.text`*:: -+ --- -type: text - --- - -*`threat.technique.subtechnique.reference`*:: -+ --- -The reference url of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/) - -type: keyword - -example: https://attack.mitre.org/techniques/T1059/001/ - --- - -[float] -=== tls - -Fields related to a TLS connection. These fields focus on the TLS protocol itself and intentionally avoids in-depth analysis of the related x.509 certificate files. - - -*`tls.cipher`*:: -+ --- -String indicating the cipher used during the current connection. - -type: keyword - -example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - --- - -*`tls.client.certificate`*:: -+ --- -PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list. - -type: keyword - -example: MII... - --- - -*`tls.client.certificate_chain`*:: -+ --- -Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. - -type: keyword - -example: ["MII...", "MII..."] - --- - -*`tls.client.hash.md5`*:: -+ --- -Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. - -type: keyword - -example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC - --- - -*`tls.client.hash.sha1`*:: -+ --- -Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. - -type: keyword - -example: 9E393D93138888D288266C2D915214D1D1CCEB2A - --- - -*`tls.client.hash.sha256`*:: -+ --- -Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. - -type: keyword - -example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 - --- - -*`tls.client.issuer`*:: -+ --- -Distinguished name of subject of the issuer of the x.509 certificate presented by the client. - -type: keyword - -example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com - --- - -*`tls.client.ja3`*:: -+ --- -A hash that identifies clients based on how they perform an SSL/TLS handshake. - -type: keyword - -example: d4e5b18d6b55c71272893221c96ba240 - --- - -*`tls.client.not_after`*:: -+ --- -Date/Time indicating when client certificate is no longer considered valid. - -type: date - -example: 2021-01-01T00:00:00.000Z - --- - -*`tls.client.not_before`*:: -+ --- -Date/Time indicating when client certificate is first considered valid. - -type: date - -example: 1970-01-01T00:00:00.000Z - --- - -*`tls.client.server_name`*:: -+ --- -Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. - -type: keyword - -example: www.elastic.co - --- - -*`tls.client.subject`*:: -+ --- -Distinguished name of subject of the x.509 certificate presented by the client. - -type: keyword - -example: CN=myclient, OU=Documentation Team, DC=example, DC=com - --- - -*`tls.client.supported_ciphers`*:: -+ --- -Array of ciphers offered by the client during the client hello. - -type: keyword - -example: ["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "..."] - --- - -*`tls.client.x509.alternative_names`*:: -+ --- -List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. - -type: keyword - -example: *.elastic.co - --- - -*`tls.client.x509.issuer.common_name`*:: -+ --- -List of common name (CN) of issuing certificate authority. - -type: keyword - -example: Example SHA2 High Assurance Server CA - --- - -*`tls.client.x509.issuer.country`*:: -+ --- -List of country (C) codes - -type: keyword - -example: US - --- - -*`tls.client.x509.issuer.distinguished_name`*:: -+ --- -Distinguished name (DN) of issuing certificate authority. - -type: keyword - -example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA - --- - -*`tls.client.x509.issuer.locality`*:: -+ --- -List of locality names (L) - -type: keyword - -example: Mountain View - --- - -*`tls.client.x509.issuer.organization`*:: -+ --- -List of organizations (O) of issuing certificate authority. - -type: keyword - -example: Example Inc - --- - -*`tls.client.x509.issuer.organizational_unit`*:: -+ --- -List of organizational units (OU) of issuing certificate authority. - -type: keyword - -example: www.example.com - --- - -*`tls.client.x509.issuer.state_or_province`*:: -+ --- -List of state or province names (ST, S, or P) - -type: keyword - -example: California - --- - -*`tls.client.x509.not_after`*:: -+ --- -Time at which the certificate is no longer considered valid. - -type: date - -example: 2020-07-16 03:15:39+00:00 - --- - -*`tls.client.x509.not_before`*:: -+ --- -Time at which the certificate is first considered valid. - -type: date - -example: 2019-08-16 01:40:25+00:00 - --- - -*`tls.client.x509.public_key_algorithm`*:: -+ --- -Algorithm used to generate the public key. - -type: keyword - -example: RSA - --- - -*`tls.client.x509.public_key_curve`*:: -+ --- -The curve used by the elliptic curve public key algorithm. This is algorithm specific. - -type: keyword - -example: nistp521 - --- - -*`tls.client.x509.public_key_exponent`*:: -+ --- -Exponent used to derive the public key. This is algorithm specific. - -type: long - -example: 65537 - -Field is not indexed. - --- - -*`tls.client.x509.public_key_size`*:: -+ --- -The size of the public key space in bits. - -type: long - -example: 2048 - --- - -*`tls.client.x509.serial_number`*:: -+ --- -Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. - -type: keyword - -example: 55FBB9C7DEBF09809D12CCAA - --- - -*`tls.client.x509.signature_algorithm`*:: -+ --- -Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. - -type: keyword - -example: SHA256-RSA - --- - -*`tls.client.x509.subject.common_name`*:: -+ --- -List of common names (CN) of subject. - -type: keyword - -example: shared.global.example.net - --- - -*`tls.client.x509.subject.country`*:: -+ --- -List of country (C) code - -type: keyword - -example: US - --- - -*`tls.client.x509.subject.distinguished_name`*:: -+ --- -Distinguished name (DN) of the certificate subject entity. - -type: keyword - -example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net - --- - -*`tls.client.x509.subject.locality`*:: -+ --- -List of locality names (L) - -type: keyword - -example: San Francisco - --- - -*`tls.client.x509.subject.organization`*:: -+ --- -List of organizations (O) of subject. - -type: keyword - -example: Example, Inc. - --- - -*`tls.client.x509.subject.organizational_unit`*:: -+ --- -List of organizational units (OU) of subject. - -type: keyword - --- - -*`tls.client.x509.subject.state_or_province`*:: -+ --- -List of state or province names (ST, S, or P) - -type: keyword - -example: California - --- - -*`tls.client.x509.version_number`*:: -+ --- -Version of x509 format. - -type: keyword - -example: 3 - --- - -*`tls.curve`*:: -+ --- -String indicating the curve used for the given cipher, when applicable. - -type: keyword - -example: secp256r1 - --- - -*`tls.established`*:: -+ --- -Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. - -type: boolean - --- - -*`tls.next_protocol`*:: -+ --- -String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. - -type: keyword - -example: http/1.1 - --- - -*`tls.resumed`*:: -+ --- -Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. - -type: boolean - --- - -*`tls.server.certificate`*:: -+ --- -PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. - -type: keyword - -example: MII... - --- - -*`tls.server.certificate_chain`*:: -+ --- -Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. - -type: keyword - -example: ["MII...", "MII..."] - --- - -*`tls.server.hash.md5`*:: -+ --- -Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. - -type: keyword - -example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC - --- - -*`tls.server.hash.sha1`*:: -+ --- -Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. - -type: keyword - -example: 9E393D93138888D288266C2D915214D1D1CCEB2A - --- - -*`tls.server.hash.sha256`*:: -+ --- -Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. - -type: keyword - -example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 - --- - -*`tls.server.issuer`*:: -+ --- -Subject of the issuer of the x.509 certificate presented by the server. - -type: keyword - -example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com - --- - -*`tls.server.ja3s`*:: -+ --- -A hash that identifies servers based on how they perform an SSL/TLS handshake. - -type: keyword - -example: 394441ab65754e2207b1e1b457b3641d - --- - -*`tls.server.not_after`*:: -+ --- -Timestamp indicating when server certificate is no longer considered valid. - -type: date - -example: 2021-01-01T00:00:00.000Z - --- - -*`tls.server.not_before`*:: -+ --- -Timestamp indicating when server certificate is first considered valid. - -type: date - -example: 1970-01-01T00:00:00.000Z - --- - -*`tls.server.subject`*:: -+ --- -Subject of the x.509 certificate presented by the server. - -type: keyword - -example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com - --- - -*`tls.server.x509.alternative_names`*:: -+ --- -List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. - -type: keyword - -example: *.elastic.co - --- - -*`tls.server.x509.issuer.common_name`*:: -+ --- -List of common name (CN) of issuing certificate authority. - -type: keyword - -example: Example SHA2 High Assurance Server CA - --- - -*`tls.server.x509.issuer.country`*:: -+ --- -List of country (C) codes - -type: keyword - -example: US - --- - -*`tls.server.x509.issuer.distinguished_name`*:: -+ --- -Distinguished name (DN) of issuing certificate authority. - -type: keyword - -example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA - --- - -*`tls.server.x509.issuer.locality`*:: -+ --- -List of locality names (L) - -type: keyword - -example: Mountain View - --- - -*`tls.server.x509.issuer.organization`*:: -+ --- -List of organizations (O) of issuing certificate authority. - -type: keyword - -example: Example Inc - --- - -*`tls.server.x509.issuer.organizational_unit`*:: -+ --- -List of organizational units (OU) of issuing certificate authority. - -type: keyword - -example: www.example.com - --- - -*`tls.server.x509.issuer.state_or_province`*:: -+ --- -List of state or province names (ST, S, or P) - -type: keyword - -example: California - --- - -*`tls.server.x509.not_after`*:: -+ --- -Time at which the certificate is no longer considered valid. - -type: date - -example: 2020-07-16 03:15:39+00:00 - --- - -*`tls.server.x509.not_before`*:: -+ --- -Time at which the certificate is first considered valid. - -type: date - -example: 2019-08-16 01:40:25+00:00 - --- - -*`tls.server.x509.public_key_algorithm`*:: -+ --- -Algorithm used to generate the public key. - -type: keyword - -example: RSA - --- - -*`tls.server.x509.public_key_curve`*:: -+ --- -The curve used by the elliptic curve public key algorithm. This is algorithm specific. - -type: keyword - -example: nistp521 - --- - -*`tls.server.x509.public_key_exponent`*:: -+ --- -Exponent used to derive the public key. This is algorithm specific. - -type: long - -example: 65537 - -Field is not indexed. - --- - -*`tls.server.x509.public_key_size`*:: -+ --- -The size of the public key space in bits. - -type: long - -example: 2048 - --- - -*`tls.server.x509.serial_number`*:: -+ --- -Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. - -type: keyword - -example: 55FBB9C7DEBF09809D12CCAA - --- - -*`tls.server.x509.signature_algorithm`*:: -+ --- -Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. - -type: keyword - -example: SHA256-RSA - --- - -*`tls.server.x509.subject.common_name`*:: -+ --- -List of common names (CN) of subject. - -type: keyword - -example: shared.global.example.net - --- - -*`tls.server.x509.subject.country`*:: -+ --- -List of country (C) code - -type: keyword - -example: US - --- - -*`tls.server.x509.subject.distinguished_name`*:: -+ --- -Distinguished name (DN) of the certificate subject entity. - -type: keyword - -example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net - --- - -*`tls.server.x509.subject.locality`*:: -+ --- -List of locality names (L) - -type: keyword - -example: San Francisco - --- - -*`tls.server.x509.subject.organization`*:: -+ --- -List of organizations (O) of subject. - -type: keyword - -example: Example, Inc. - --- - -*`tls.server.x509.subject.organizational_unit`*:: -+ --- -List of organizational units (OU) of subject. - -type: keyword - --- - -*`tls.server.x509.subject.state_or_province`*:: -+ --- -List of state or province names (ST, S, or P) - -type: keyword - -example: California - --- - -*`tls.server.x509.version_number`*:: -+ --- -Version of x509 format. - -type: keyword - -example: 3 - --- - -*`tls.version`*:: -+ --- -Numeric part of the version parsed from the original string. - -type: keyword - -example: 1.2 - --- - -*`tls.version_protocol`*:: -+ --- -Normalized lowercase protocol name parsed from original string. - -type: keyword - -example: tls - --- - -*`span.id`*:: -+ --- -Unique identifier of the span within the scope of its trace. -A span represents an operation within a transaction, such as a request to another service, or a database query. - -type: keyword - -example: 3ff9a8981b7ccd5a - --- - -*`trace.id`*:: -+ --- -Unique identifier of the trace. -A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. - -type: keyword - -example: 4bf92f3577b34da6a3ce929d0e0e4736 - --- - -*`transaction.id`*:: -+ --- -Unique identifier of the transaction within the scope of its trace. -A transaction is the highest level of work measured within a service, such as a request to a server. - -type: keyword - -example: 00f067aa0ba902b7 - --- - -[float] -=== url - -URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. - - -*`url.domain`*:: -+ --- -Domain of the url, such as "www.elastic.co". -In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. -If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - -type: keyword - -example: www.elastic.co - --- - -*`url.extension`*:: -+ --- -The field contains the file extension from the original request url, excluding the leading dot. -The file extension is only set if it exists, as not every url has a file extension. -The leading period must not be included. For example, the value must be "png", not ".png". -Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - -type: keyword - -example: png - --- - -*`url.fragment`*:: -+ --- -Portion of the url after the `#`, such as "top". -The `#` is not part of the fragment. - -type: keyword - --- - -*`url.full`*:: -+ --- -If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - -type: keyword - -example: https://www.elastic.co:443/search?q=elasticsearch#top - --- - -*`url.full.text`*:: -+ --- -type: text - --- - -*`url.original`*:: -+ --- -Unmodified original url as seen in the event source. -Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. -This field is meant to represent the URL as it was observed, complete or not. - -type: keyword - -example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch - --- - -*`url.original.text`*:: -+ --- -type: text - --- - -*`url.password`*:: -+ --- -Password of the request. - -type: keyword - --- - -*`url.path`*:: -+ --- -Path of the request, such as "/search". - -type: keyword - --- - -*`url.port`*:: -+ --- -Port of the request, such as 443. - -type: long - -example: 443 - -format: string - --- - -*`url.query`*:: -+ --- -The query field describes the query string of the request, such as "q=elasticsearch". -The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - -type: keyword - --- - -*`url.registered_domain`*:: -+ --- -The highest registered url domain, stripped of the subdomain. -For example, the registered domain for "foo.example.com" is "example.com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - -type: keyword - -example: example.com - --- - -*`url.scheme`*:: -+ --- -Scheme of the request, such as "https". -Note: The `:` is not part of the scheme. - -type: keyword - -example: https - --- - -*`url.subdomain`*:: -+ --- -The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. -For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - -type: keyword - -example: east - --- - -*`url.top_level_domain`*:: -+ --- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - -type: keyword - -example: co.uk - --- - -*`url.username`*:: -+ --- -Username of the request. - -type: keyword - --- - -[float] -=== user - -The user fields describe information about the user that is relevant to the event. -Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. - - -*`user.changes.domain`*:: -+ --- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.changes.email`*:: -+ --- -User email address. - -type: keyword - --- - -*`user.changes.full_name`*:: -+ --- -User's full name, if available. - -type: keyword - -example: Albert Einstein - --- - -*`user.changes.full_name.text`*:: -+ --- -type: text - --- - -*`user.changes.group.domain`*:: -+ --- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.changes.group.id`*:: -+ --- -Unique identifier for the group on the system/platform. - -type: keyword - --- - -*`user.changes.group.name`*:: -+ --- -Name of the group. - -type: keyword - --- - -*`user.changes.hash`*:: -+ --- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. - -type: keyword - --- - -*`user.changes.id`*:: -+ --- -Unique identifier of the user. - -type: keyword - --- - -*`user.changes.name`*:: -+ --- -Short name or login of the user. - -type: keyword - -example: albert - --- - -*`user.changes.name.text`*:: -+ --- -type: text - --- - -*`user.changes.roles`*:: -+ --- -Array of user roles at the time of the event. - -type: keyword - -example: ["kibana_admin", "reporting_user"] - --- - -*`user.domain`*:: -+ --- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.effective.domain`*:: -+ --- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.effective.email`*:: -+ --- -User email address. - -type: keyword - --- - -*`user.effective.full_name`*:: -+ --- -User's full name, if available. - -type: keyword - -example: Albert Einstein - --- - -*`user.effective.full_name.text`*:: -+ --- -type: text - --- - -*`user.effective.group.domain`*:: -+ --- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.effective.group.id`*:: -+ --- -Unique identifier for the group on the system/platform. - -type: keyword - --- - -*`user.effective.group.name`*:: -+ --- -Name of the group. - -type: keyword - --- - -*`user.effective.hash`*:: -+ --- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. - -type: keyword - --- - -*`user.effective.id`*:: -+ --- -Unique identifier of the user. - -type: keyword - --- - -*`user.effective.name`*:: -+ --- -Short name or login of the user. - -type: keyword - -example: albert - --- - -*`user.effective.name.text`*:: -+ --- -type: text - --- - -*`user.effective.roles`*:: -+ --- -Array of user roles at the time of the event. - -type: keyword - -example: ["kibana_admin", "reporting_user"] - --- - -*`user.email`*:: -+ --- -User email address. - -type: keyword - --- - -*`user.full_name`*:: -+ --- -User's full name, if available. - -type: keyword - -example: Albert Einstein - --- - -*`user.full_name.text`*:: -+ --- -type: text - --- - -*`user.group.domain`*:: -+ --- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.group.id`*:: -+ --- -Unique identifier for the group on the system/platform. - -type: keyword - --- - -*`user.group.name`*:: -+ --- -Name of the group. - -type: keyword - --- - -*`user.hash`*:: -+ --- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. - -type: keyword - --- - -*`user.id`*:: -+ --- -Unique identifier of the user. - -type: keyword - --- - -*`user.name`*:: -+ --- -Short name or login of the user. - -type: keyword - -example: albert - --- - -*`user.name.text`*:: -+ --- -type: text - --- - -*`user.roles`*:: -+ --- -Array of user roles at the time of the event. - -type: keyword - -example: ["kibana_admin", "reporting_user"] - --- - -*`user.target.domain`*:: -+ --- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.target.email`*:: -+ --- -User email address. - -type: keyword - --- - -*`user.target.full_name`*:: -+ --- -User's full name, if available. - -type: keyword - -example: Albert Einstein - --- - -*`user.target.full_name.text`*:: -+ --- -type: text - --- - -*`user.target.group.domain`*:: -+ --- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.target.group.id`*:: -+ --- -Unique identifier for the group on the system/platform. - -type: keyword - --- - -*`user.target.group.name`*:: -+ --- -Name of the group. - -type: keyword - --- - -*`user.target.hash`*:: -+ --- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. - -type: keyword - --- - -*`user.target.id`*:: -+ --- -Unique identifier of the user. - -type: keyword - --- - -*`user.target.name`*:: -+ --- -Short name or login of the user. - -type: keyword - -example: albert - --- - -*`user.target.name.text`*:: -+ --- -type: text - --- - -*`user.target.roles`*:: -+ --- -Array of user roles at the time of the event. - -type: keyword - -example: ["kibana_admin", "reporting_user"] - --- - -[float] -=== user_agent - -The user_agent fields normally come from a browser request. -They often show up in web service logs coming from the parsed user agent string. - - -*`user_agent.device.name`*:: -+ --- -Name of the device. - -type: keyword - -example: iPhone - --- - -*`user_agent.name`*:: -+ --- -Name of the user agent. - -type: keyword - -example: Safari - --- - -*`user_agent.original`*:: -+ --- -Unparsed user_agent string. - -type: keyword - -example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 - --- - -*`user_agent.original.text`*:: -+ --- -type: text - --- - -*`user_agent.os.family`*:: -+ --- -OS family (such as redhat, debian, freebsd, windows). - -type: keyword - -example: debian - --- - -*`user_agent.os.full`*:: -+ --- -Operating system name, including the version or code name. - -type: keyword - -example: Mac OS Mojave - --- - -*`user_agent.os.full.text`*:: -+ --- -type: text - --- - -*`user_agent.os.kernel`*:: -+ --- -Operating system kernel version as a raw string. - -type: keyword - -example: 4.4.0-112-generic - --- - -*`user_agent.os.name`*:: -+ --- -Operating system name, without the version. - -type: keyword - -example: Mac OS X - --- - -*`user_agent.os.name.text`*:: -+ --- -type: text - --- - -*`user_agent.os.platform`*:: -+ --- -Operating system platform (such centos, ubuntu, windows). - -type: keyword - -example: darwin - --- - -*`user_agent.os.type`*:: -+ --- -Use the `os.type` field to categorize the operating system into one of the broad commercial families. -One of these following values should be used (lowercase): linux, macos, unix, windows. -If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. - -type: keyword - -example: macos - --- - -*`user_agent.os.version`*:: -+ --- -Operating system version as a raw string. - -type: keyword - -example: 10.14.1 - --- - -*`user_agent.version`*:: -+ --- -Version of the user agent. - -type: keyword - -example: 12.0 - --- - -[float] -=== vlan - -The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection. -Network.vlan fields are used to record a single VLAN tag, or the outer tag in the case of q-in-q encapsulations, for a packet or connection as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. -Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple 802.1q encapsulations) as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should only be used in addition to network.vlan fields to indicate q-in-q tagging. -Observer.ingress and observer.egress VLAN values are used to record observer specific information when observer events contain discrete ingress and egress VLAN information, typically provided by firewalls, routers, or load balancers. - - -*`vlan.id`*:: -+ --- -VLAN ID as reported by the observer. - -type: keyword - -example: 10 - --- - -*`vlan.name`*:: -+ --- -Optional VLAN name as reported by the observer. - -type: keyword - -example: outside - --- - -[float] -=== vulnerability - -The vulnerability fields describe information about a vulnerability that is relevant to an event. - - -*`vulnerability.category`*:: -+ --- -The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories]) -This field must be an array. - -type: keyword - -example: ["Firewall"] - --- - -*`vulnerability.classification`*:: -+ --- -The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/) - -type: keyword - -example: CVSS - --- - -*`vulnerability.description`*:: -+ --- -The description of the vulnerability that provides additional context of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common Vulnerabilities and Exposure CVE description]) - -type: keyword - -example: In macOS before 2.12.6, there is a vulnerability in the RPC... - --- - -*`vulnerability.description.text`*:: -+ --- -type: text - --- - -*`vulnerability.enumeration`*:: -+ --- -The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/) - -type: keyword - -example: CVE - --- - -*`vulnerability.id`*:: -+ --- -The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID] - -type: keyword - -example: CVE-2019-00001 - --- - -*`vulnerability.reference`*:: -+ --- -A resource that provides additional information, context, and mitigations for the identified vulnerability. - -type: keyword - -example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111 - --- - -*`vulnerability.report_id`*:: -+ --- -The report or scan identification number. - -type: keyword - -example: 20191018.0001 - --- - -*`vulnerability.scanner.vendor`*:: -+ --- -The name of the vulnerability scanner vendor. - -type: keyword - -example: Tenable - --- - -*`vulnerability.score.base`*:: -+ --- -Scores can range from 0.0 to 10.0, with 10.0 being the most severe. -Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) - -type: float - -example: 5.5 - --- - -*`vulnerability.score.environmental`*:: -+ --- -Scores can range from 0.0 to 10.0, with 10.0 being the most severe. -Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example (https://www.first.org/cvss/specification-document) - -type: float - -example: 5.5 - --- - -*`vulnerability.score.temporal`*:: -+ --- -Scores can range from 0.0 to 10.0, with 10.0 being the most severe. -Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example (https://www.first.org/cvss/specification-document) - -type: float - --- - -*`vulnerability.score.version`*:: -+ --- -The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. -CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss) - -type: keyword - -example: 2.0 - --- - -*`vulnerability.severity`*:: -+ --- -The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) - -type: keyword - -example: Critical - --- - -[float] -=== x509 - -This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk. -When the certificate relates to a file, use the fields at `file.x509`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`). -Events that contain certificate information about network connections, should use the x509 fields under the relevant TLS fields: `tls.server.x509` and/or `tls.client.x509`. - - -*`x509.alternative_names`*:: -+ --- -List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. - -type: keyword - -example: *.elastic.co - --- - -*`x509.issuer.common_name`*:: -+ --- -List of common name (CN) of issuing certificate authority. - -type: keyword - -example: Example SHA2 High Assurance Server CA - --- - -*`x509.issuer.country`*:: -+ --- -List of country (C) codes - -type: keyword - -example: US - --- - -*`x509.issuer.distinguished_name`*:: -+ --- -Distinguished name (DN) of issuing certificate authority. - -type: keyword - -example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA - --- - -*`x509.issuer.locality`*:: -+ --- -List of locality names (L) - -type: keyword - -example: Mountain View - --- - -*`x509.issuer.organization`*:: -+ --- -List of organizations (O) of issuing certificate authority. - -type: keyword - -example: Example Inc - --- - -*`x509.issuer.organizational_unit`*:: -+ --- -List of organizational units (OU) of issuing certificate authority. - -type: keyword - -example: www.example.com - --- - -*`x509.issuer.state_or_province`*:: -+ --- -List of state or province names (ST, S, or P) - -type: keyword - -example: California - --- - -*`x509.not_after`*:: -+ --- -Time at which the certificate is no longer considered valid. - -type: date - -example: 2020-07-16 03:15:39+00:00 - --- - -*`x509.not_before`*:: -+ --- -Time at which the certificate is first considered valid. - -type: date - -example: 2019-08-16 01:40:25+00:00 - --- - -*`x509.public_key_algorithm`*:: -+ --- -Algorithm used to generate the public key. - -type: keyword - -example: RSA - --- - -*`x509.public_key_curve`*:: -+ --- -The curve used by the elliptic curve public key algorithm. This is algorithm specific. - -type: keyword - -example: nistp521 - --- - -*`x509.public_key_exponent`*:: -+ --- -Exponent used to derive the public key. This is algorithm specific. - -type: long - -example: 65537 - -Field is not indexed. - --- - -*`x509.public_key_size`*:: -+ --- -The size of the public key space in bits. - -type: long - -example: 2048 - --- - -*`x509.serial_number`*:: -+ --- -Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. - -type: keyword - -example: 55FBB9C7DEBF09809D12CCAA - --- - -*`x509.signature_algorithm`*:: -+ --- -Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. - -type: keyword - -example: SHA256-RSA - --- - -*`x509.subject.common_name`*:: -+ --- -List of common names (CN) of subject. - -type: keyword - -example: shared.global.example.net - --- - -*`x509.subject.country`*:: -+ --- -List of country (C) code - -type: keyword - -example: US - --- - -*`x509.subject.distinguished_name`*:: -+ --- -Distinguished name (DN) of the certificate subject entity. - -type: keyword - -example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net - --- - -*`x509.subject.locality`*:: -+ --- -List of locality names (L) - -type: keyword - -example: San Francisco - --- - -*`x509.subject.organization`*:: -+ --- -List of organizations (O) of subject. - -type: keyword - -example: Example, Inc. - --- - -*`x509.subject.organizational_unit`*:: -+ --- -List of organizational units (OU) of subject. - -type: keyword - --- - -*`x509.subject.state_or_province`*:: -+ --- -List of state or province names (ST, S, or P) - -type: keyword - -example: California - --- - -*`x509.version_number`*:: -+ --- -Version of x509 format. - -type: keyword - -example: 3 - --- - -[[exported-fields-elasticsearch]] -== Elasticsearch fields - -elasticsearch Module - - - -[float] -=== elasticsearch - - - - -*`elasticsearch.component`*:: -+ --- -Elasticsearch component from where the log event originated - -type: keyword - -example: o.e.c.m.MetaDataCreateIndexService - --- - -*`elasticsearch.cluster.uuid`*:: -+ --- -UUID of the cluster - -type: keyword - -example: GmvrbHlNTiSVYiPf8kxg9g - --- - -*`elasticsearch.cluster.name`*:: -+ --- -Name of the cluster - -type: keyword - -example: docker-cluster - --- - -*`elasticsearch.node.id`*:: -+ --- -ID of the node - -type: keyword - -example: DSiWcTyeThWtUXLB9J0BMw - --- - -*`elasticsearch.node.name`*:: -+ --- -Name of the node - -type: keyword - -example: vWNJsZ3 - --- - -*`elasticsearch.index.name`*:: -+ --- -Index name - -type: keyword - -example: filebeat-test-input - --- - -*`elasticsearch.index.id`*:: -+ --- -Index id - -type: keyword - -example: aOGgDwbURfCV57AScqbCgw - --- - -*`elasticsearch.shard.id`*:: -+ --- -Id of the shard - -type: keyword - -example: 0 - --- - - -*`elasticsearch.audit.layer`*:: -+ --- -The layer from which this event originated: rest, transport or ip_filter - -type: keyword - -example: rest - --- - -*`elasticsearch.audit.event_type`*:: -+ --- -The type of event that occurred: anonymous_access_denied, authentication_failed, access_denied, access_granted, connection_granted, connection_denied, tampered_request, run_as_granted, run_as_denied - -type: keyword - -example: access_granted - --- - -*`elasticsearch.audit.origin.type`*:: -+ --- -Where the request originated: rest (request originated from a REST API request), transport (request was received on the transport channel), local_node (the local node issued the request) - -type: keyword - -example: local_node - --- - -*`elasticsearch.audit.realm`*:: -+ --- -The authentication realm the authentication was validated against - -type: keyword - --- - -*`elasticsearch.audit.user.realm`*:: -+ --- -The user's authentication realm, if authenticated - -type: keyword - --- - -*`elasticsearch.audit.user.roles`*:: -+ --- -Roles to which the principal belongs - -type: keyword - -example: ['kibana_admin', 'beats_admin'] - --- - -*`elasticsearch.audit.user.run_as.name`*:: -+ --- -type: keyword - --- - -*`elasticsearch.audit.user.run_as.realm`*:: -+ --- -type: keyword - --- - -*`elasticsearch.audit.component`*:: -+ --- -type: keyword - --- - -*`elasticsearch.audit.action`*:: -+ --- -The name of the action that was executed - -type: keyword - -example: cluster:monitor/main - --- - -*`elasticsearch.audit.url.params`*:: -+ --- -REST URI parameters - -example: {username=jacknich2} - --- - -*`elasticsearch.audit.indices`*:: -+ --- -Indices accessed by action - -type: keyword - -example: ['foo-2019.01.04', 'foo-2019.01.03', 'foo-2019.01.06'] - --- - -*`elasticsearch.audit.request.id`*:: -+ --- -Unique ID of request - -type: keyword - -example: WzL_kb6VSvOhAq0twPvHOQ - --- - -*`elasticsearch.audit.request.name`*:: -+ --- -The type of request that was executed - -type: keyword - -example: ClearScrollRequest - --- - -*`elasticsearch.audit.request_body`*:: -+ --- -type: alias - -alias to: http.request.body.content - --- - -*`elasticsearch.audit.origin_address`*:: -+ --- -type: alias - -alias to: source.ip - --- - -*`elasticsearch.audit.uri`*:: -+ --- -type: alias - -alias to: url.original - --- - -*`elasticsearch.audit.principal`*:: -+ --- -type: alias - -alias to: user.name - --- - -*`elasticsearch.audit.message`*:: -+ --- -type: text - --- - -*`elasticsearch.audit.invalidate.apikeys.owned_by_authenticated_user`*:: -+ --- -type: boolean - --- - -[float] -=== deprecation - - - -[float] -=== gc - -GC fileset fields. - - - -[float] -=== phase - -Fields specific to GC phase. - - - -*`elasticsearch.gc.phase.name`*:: -+ --- -Name of the GC collection phase. - - -type: keyword - --- - -*`elasticsearch.gc.phase.duration_sec`*:: -+ --- -Collection phase duration according to the Java virtual machine. - - -type: float - --- - -*`elasticsearch.gc.phase.scrub_symbol_table_time_sec`*:: -+ --- -Pause time in seconds cleaning up symbol tables. - - -type: float - --- - -*`elasticsearch.gc.phase.scrub_string_table_time_sec`*:: -+ --- -Pause time in seconds cleaning up string tables. - - -type: float - --- - -*`elasticsearch.gc.phase.weak_refs_processing_time_sec`*:: -+ --- -Time spent processing weak references in seconds. - - -type: float - --- - -*`elasticsearch.gc.phase.parallel_rescan_time_sec`*:: -+ --- -Time spent in seconds marking live objects while application is stopped. - - -type: float - --- - -*`elasticsearch.gc.phase.class_unload_time_sec`*:: -+ --- -Time spent unloading unused classes in seconds. - - -type: float - --- - -[float] -=== cpu_time - -Process CPU time spent performing collections. - - - -*`elasticsearch.gc.phase.cpu_time.user_sec`*:: -+ --- -CPU time spent outside the kernel. - - -type: float - --- - -*`elasticsearch.gc.phase.cpu_time.sys_sec`*:: -+ --- -CPU time spent inside the kernel. - - -type: float - --- - -*`elasticsearch.gc.phase.cpu_time.real_sec`*:: -+ --- -Total elapsed CPU time spent to complete the collection from start to finish. - - -type: float - --- - -*`elasticsearch.gc.jvm_runtime_sec`*:: -+ --- -The time from JVM start up in seconds, as a floating point number. - - -type: float - --- - -*`elasticsearch.gc.threads_total_stop_time_sec`*:: -+ --- -Garbage collection threads total stop time seconds. - - -type: float - --- - -*`elasticsearch.gc.stopping_threads_time_sec`*:: -+ --- -Time took to stop threads seconds. - - -type: float - --- - -*`elasticsearch.gc.tags`*:: -+ --- -GC logging tags. - - -type: keyword - --- - -[float] -=== heap - -Heap allocation and total size. - - - -*`elasticsearch.gc.heap.size_kb`*:: -+ --- -Total heap size in kilobytes. - - -type: integer - --- - -*`elasticsearch.gc.heap.used_kb`*:: -+ --- -Used heap in kilobytes. - - -type: integer - --- - -[float] -=== old_gen - -Old generation occupancy and total size. - - - -*`elasticsearch.gc.old_gen.size_kb`*:: -+ --- -Total size of old generation in kilobytes. - - -type: integer - --- - -*`elasticsearch.gc.old_gen.used_kb`*:: -+ --- -Old generation occupancy in kilobytes. - - -type: integer - --- - -[float] -=== young_gen - -Young generation occupancy and total size. - - - -*`elasticsearch.gc.young_gen.size_kb`*:: -+ --- -Total size of young generation in kilobytes. - - -type: integer - --- - -*`elasticsearch.gc.young_gen.used_kb`*:: -+ --- -Young generation occupancy in kilobytes. - - -type: integer - --- - -[float] -=== server - -Server log file - - -*`elasticsearch.server.stacktrace`*:: -+ --- -Field is not indexed. - --- - -[float] -=== gc - -GC log - - -[float] -=== young - -Young GC - - -*`elasticsearch.server.gc.young.one`*:: -+ --- - - -type: long - -example: - --- - -*`elasticsearch.server.gc.young.two`*:: -+ --- - - -type: long - -example: - --- - -*`elasticsearch.server.gc.overhead_seq`*:: -+ --- -Sequence number - -type: long - -example: 3449992 - --- - -*`elasticsearch.server.gc.collection_duration.ms`*:: -+ --- -Time spent in GC, in milliseconds - -type: float - -example: 1600 - --- - -*`elasticsearch.server.gc.observation_duration.ms`*:: -+ --- -Total time over which collection was observed, in milliseconds - -type: float - -example: 1800 - --- - -[float] -=== slowlog - -Slowlog events from Elasticsearch - - -*`elasticsearch.slowlog.logger`*:: -+ --- -Logger name - -type: keyword - -example: index.search.slowlog.fetch - --- - -*`elasticsearch.slowlog.took`*:: -+ --- -Time it took to execute the query - -type: keyword - -example: 300ms - --- - -*`elasticsearch.slowlog.types`*:: -+ --- -Types - -type: keyword - -example: - --- - -*`elasticsearch.slowlog.stats`*:: -+ --- -Stats groups - -type: keyword - -example: group1 - --- - -*`elasticsearch.slowlog.search_type`*:: -+ --- -Search type - -type: keyword - -example: QUERY_THEN_FETCH - --- - -*`elasticsearch.slowlog.source_query`*:: -+ --- -Slow query - -type: keyword - -example: {"query":{"match_all":{"boost":1.0}}} - --- - -*`elasticsearch.slowlog.extra_source`*:: -+ --- -Extra source information - -type: keyword - -example: - --- - -*`elasticsearch.slowlog.total_hits`*:: -+ --- -Total hits - -type: keyword - -example: 42 - --- - -*`elasticsearch.slowlog.total_shards`*:: -+ --- -Total queried shards - -type: keyword - -example: 22 - --- - -*`elasticsearch.slowlog.routing`*:: -+ --- -Routing - -type: keyword - -example: s01HZ2QBk9jw4gtgaFtn - --- - -*`elasticsearch.slowlog.id`*:: -+ --- -Id - -type: keyword - -example: - --- - -*`elasticsearch.slowlog.type`*:: -+ --- -Type - -type: keyword - -example: doc - --- - -*`elasticsearch.slowlog.source`*:: -+ --- -Source of document that was indexed - -type: keyword - --- - -[[exported-fields-envoyproxy]] -== Envoyproxy fields - -Module for handling logs produced by envoy - - - -[float] -=== envoyproxy - -Fields from envoy proxy logs after normalization - - - -*`envoyproxy.log_type`*:: -+ --- -Envoy log type, normally ACCESS - - -type: keyword - --- - -*`envoyproxy.response_flags`*:: -+ --- -Response flags - - -type: keyword - --- - -*`envoyproxy.upstream_service_time`*:: -+ --- -Upstream service time in nanoseconds - - -type: long - -format: duration - --- - -*`envoyproxy.request_id`*:: -+ --- -ID of the request - - -type: keyword - --- - -*`envoyproxy.authority`*:: -+ --- -Envoy proxy authority field - - -type: keyword - --- - -*`envoyproxy.proxy_type`*:: -+ --- -Envoy proxy type, tcp or http - - -type: keyword - --- - -[[exported-fields-f5]] -== Big-IP Access Policy Manager fields - -f5 fields. - - - -*`network.interface.name`*:: -+ --- -Name of the network interface where the traffic has been observed. - - -type: keyword - --- - - - -*`rsa.internal.msg`*:: -+ --- -This key is used to capture the raw message that comes into the Log Decoder - -type: keyword - --- - -*`rsa.internal.messageid`*:: -+ --- -type: keyword - --- - -*`rsa.internal.event_desc`*:: -+ --- -type: keyword - --- - -*`rsa.internal.message`*:: -+ --- -This key captures the contents of instant messages - -type: keyword - --- - -*`rsa.internal.time`*:: -+ --- -This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - -type: date - --- - -*`rsa.internal.level`*:: -+ --- -Deprecated key defined only in table map. - -type: long - --- - -*`rsa.internal.msg_id`*:: -+ --- -This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.msg_vid`*:: -+ --- -This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword - --- - -*`rsa.internal.data`*:: -+ --- -Deprecated key defined only in table map. +Operating system name, including the version or code name. type: keyword +example: Mac OS Mojave + -- -*`rsa.internal.obj_server`*:: +*`user_agent.os.full.text`*:: + -- -Deprecated key defined only in table map. - -type: keyword +type: text -- -*`rsa.internal.obj_val`*:: +*`user_agent.os.kernel`*:: + -- -Deprecated key defined only in table map. +Operating system kernel version as a raw string. type: keyword +example: 4.4.0-112-generic + -- -*`rsa.internal.resource`*:: +*`user_agent.os.name`*:: + -- -Deprecated key defined only in table map. +Operating system name, without the version. type: keyword +example: Mac OS X + -- -*`rsa.internal.obj_id`*:: +*`user_agent.os.name.text`*:: + -- -Deprecated key defined only in table map. - -type: keyword +type: text -- -*`rsa.internal.statement`*:: +*`user_agent.os.platform`*:: + -- -Deprecated key defined only in table map. +Operating system platform (such centos, ubuntu, windows). type: keyword +example: darwin + -- -*`rsa.internal.audit_class`*:: +*`user_agent.os.type`*:: + -- -Deprecated key defined only in table map. +Use the `os.type` field to categorize the operating system into one of the broad commercial families. +One of these following values should be used (lowercase): linux, macos, unix, windows. +If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. type: keyword +example: macos + -- -*`rsa.internal.entry`*:: +*`user_agent.os.version`*:: + -- -Deprecated key defined only in table map. +Operating system version as a raw string. type: keyword +example: 10.14.1 + -- -*`rsa.internal.hcode`*:: +*`user_agent.version`*:: + -- -Deprecated key defined only in table map. +Version of the user agent. type: keyword --- +example: 12.0 -*`rsa.internal.inode`*:: -+ -- -Deprecated key defined only in table map. -type: long +[float] +=== vlan --- +The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection. +Network.vlan fields are used to record a single VLAN tag, or the outer tag in the case of q-in-q encapsulations, for a packet or connection as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. +Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple 802.1q encapsulations) as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should only be used in addition to network.vlan fields to indicate q-in-q tagging. +Observer.ingress and observer.egress VLAN values are used to record observer specific information when observer events contain discrete ingress and egress VLAN information, typically provided by firewalls, routers, or load balancers. -*`rsa.internal.resource_class`*:: + +*`vlan.id`*:: + -- -Deprecated key defined only in table map. +VLAN ID as reported by the observer. type: keyword +example: 10 + -- -*`rsa.internal.dead`*:: +*`vlan.name`*:: + -- -Deprecated key defined only in table map. +Optional VLAN name as reported by the observer. -type: long +type: keyword --- +example: outside -*`rsa.internal.feed_desc`*:: -+ -- -This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +[float] +=== vulnerability --- +The vulnerability fields describe information about a vulnerability that is relevant to an event. -*`rsa.internal.feed_name`*:: + +*`vulnerability.category`*:: + -- -This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories]) +This field must be an array. type: keyword +example: ["Firewall"] + -- -*`rsa.internal.cid`*:: +*`vulnerability.classification`*:: + -- -This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/) type: keyword +example: CVSS + -- -*`rsa.internal.device_class`*:: +*`vulnerability.description`*:: + -- -This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +The description of the vulnerability that provides additional context of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common Vulnerabilities and Exposure CVE description]) type: keyword +example: In macOS before 2.12.6, there is a vulnerability in the RPC... + -- -*`rsa.internal.device_group`*:: +*`vulnerability.description.text`*:: + -- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword +type: text -- -*`rsa.internal.device_host`*:: +*`vulnerability.enumeration`*:: + -- -This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/) type: keyword +example: CVE + -- -*`rsa.internal.device_ip`*:: +*`vulnerability.id`*:: + -- -This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID] -type: ip +type: keyword + +example: CVE-2019-00001 -- -*`rsa.internal.device_ipv6`*:: +*`vulnerability.reference`*:: + -- -This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +A resource that provides additional information, context, and mitigations for the identified vulnerability. -type: ip +type: keyword + +example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111 -- -*`rsa.internal.device_type`*:: +*`vulnerability.report_id`*:: + -- -This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +The report or scan identification number. type: keyword +example: 20191018.0001 + -- -*`rsa.internal.device_type_id`*:: +*`vulnerability.scanner.vendor`*:: + -- -Deprecated key defined only in table map. +The name of the vulnerability scanner vendor. -type: long +type: keyword + +example: Tenable -- -*`rsa.internal.did`*:: +*`vulnerability.score.base`*:: + -- -This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Scores can range from 0.0 to 10.0, with 10.0 being the most severe. +Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) -type: keyword +type: float + +example: 5.5 -- -*`rsa.internal.entropy_req`*:: +*`vulnerability.score.environmental`*:: + -- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration +Scores can range from 0.0 to 10.0, with 10.0 being the most severe. +Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example (https://www.first.org/cvss/specification-document) -type: long +type: float + +example: 5.5 -- -*`rsa.internal.entropy_res`*:: +*`vulnerability.score.temporal`*:: + -- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration +Scores can range from 0.0 to 10.0, with 10.0 being the most severe. +Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example (https://www.first.org/cvss/specification-document) -type: long +type: float -- -*`rsa.internal.event_name`*:: +*`vulnerability.score.version`*:: + -- -Deprecated key defined only in table map. +The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. +CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss) type: keyword +example: 2.0 + -- -*`rsa.internal.feed_category`*:: +*`vulnerability.severity`*:: + -- -This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) type: keyword --- +example: Critical -*`rsa.internal.forward_ip`*:: -+ -- -This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. -type: ip +[float] +=== x509 --- +This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk. +When the certificate relates to a file, use the fields at `file.x509`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`). +Events that contain certificate information about network connections, should use the x509 fields under the relevant TLS fields: `tls.server.x509` and/or `tls.client.x509`. -*`rsa.internal.forward_ipv6`*:: + +*`x509.alternative_names`*:: + -- -This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. -type: ip +type: keyword + +example: *.elastic.co -- -*`rsa.internal.header_id`*:: +*`x509.issuer.common_name`*:: + -- -This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +List of common name (CN) of issuing certificate authority. type: keyword +example: Example SHA2 High Assurance Server CA + -- -*`rsa.internal.lc_cid`*:: +*`x509.issuer.country`*:: + -- -This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +List of country (C) codes type: keyword +example: US + -- -*`rsa.internal.lc_ctime`*:: +*`x509.issuer.distinguished_name`*:: + -- -This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Distinguished name (DN) of issuing certificate authority. -type: date +type: keyword + +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA -- -*`rsa.internal.mcb_req`*:: +*`x509.issuer.locality`*:: + -- -This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most +List of locality names (L) -type: long +type: keyword + +example: Mountain View -- -*`rsa.internal.mcb_res`*:: +*`x509.issuer.organization`*:: + -- -This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most +List of organizations (O) of issuing certificate authority. -type: long +type: keyword + +example: Example Inc -- -*`rsa.internal.mcbc_req`*:: +*`x509.issuer.organizational_unit`*:: + -- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams +List of organizational units (OU) of issuing certificate authority. -type: long +type: keyword + +example: www.example.com -- -*`rsa.internal.mcbc_res`*:: +*`x509.issuer.state_or_province`*:: + -- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams +List of state or province names (ST, S, or P) -type: long +type: keyword + +example: California -- -*`rsa.internal.medium`*:: +*`x509.not_after`*:: + -- -This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session +Time at which the certificate is no longer considered valid. -type: long +type: date + +example: 2020-07-16 03:15:39+00:00 -- -*`rsa.internal.node_name`*:: +*`x509.not_before`*:: + -- -Deprecated key defined only in table map. +Time at which the certificate is first considered valid. -type: keyword +type: date + +example: 2019-08-16 01:40:25+00:00 -- -*`rsa.internal.nwe_callback_id`*:: +*`x509.public_key_algorithm`*:: + -- -This key denotes that event is endpoint related +Algorithm used to generate the public key. type: keyword +example: RSA + -- -*`rsa.internal.parse_error`*:: +*`x509.public_key_curve`*:: + -- -This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +The curve used by the elliptic curve public key algorithm. This is algorithm specific. type: keyword +example: nistp521 + -- -*`rsa.internal.payload_req`*:: +*`x509.public_key_exponent`*:: + -- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep +Exponent used to derive the public key. This is algorithm specific. type: long +example: 65537 + +Field is not indexed. + -- -*`rsa.internal.payload_res`*:: +*`x509.public_key_size`*:: + -- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep +The size of the public key space in bits. type: long +example: 2048 + -- -*`rsa.internal.process_vid_dst`*:: +*`x509.serial_number`*:: + -- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. type: keyword +example: 55FBB9C7DEBF09809D12CCAA + -- -*`rsa.internal.process_vid_src`*:: +*`x509.signature_algorithm`*:: + -- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword +example: SHA256-RSA + -- -*`rsa.internal.rid`*:: +*`x509.subject.common_name`*:: + -- -This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +List of common names (CN) of subject. -type: long +type: keyword + +example: shared.global.example.net -- -*`rsa.internal.session_split`*:: +*`x509.subject.country`*:: + -- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +List of country (C) code type: keyword +example: US + -- -*`rsa.internal.site`*:: +*`x509.subject.distinguished_name`*:: + -- -Deprecated key defined only in table map. +Distinguished name (DN) of the certificate subject entity. type: keyword +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + -- -*`rsa.internal.size`*:: +*`x509.subject.locality`*:: + -- -This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +List of locality names (L) -type: long +type: keyword + +example: San Francisco -- -*`rsa.internal.sourcefile`*:: +*`x509.subject.organization`*:: + -- -This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +List of organizations (O) of subject. type: keyword +example: Example, Inc. + -- -*`rsa.internal.ubc_req`*:: +*`x509.subject.organizational_unit`*:: + -- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once +List of organizational units (OU) of subject. -type: long +type: keyword -- -*`rsa.internal.ubc_res`*:: +*`x509.subject.state_or_province`*:: + -- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once +List of state or province names (ST, S, or P) -type: long +type: keyword + +example: California -- -*`rsa.internal.word`*:: +*`x509.version_number`*:: + -- -This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log +Version of x509 format. type: keyword +example: 3 + -- +[[exported-fields-elasticsearch]] +== Elasticsearch fields -*`rsa.time.event_time`*:: -+ --- -This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form +elasticsearch Module -type: date --- -*`rsa.time.duration_time`*:: -+ --- -This key is used to capture the normalized duration/lifetime in seconds. +[float] +=== elasticsearch -type: double --- -*`rsa.time.event_time_str`*:: + +*`elasticsearch.component`*:: + -- -This key is used to capture the incomplete time mentioned in a session as a string +Elasticsearch component from where the log event originated type: keyword +example: o.e.c.m.MetaDataCreateIndexService + -- -*`rsa.time.starttime`*:: +*`elasticsearch.cluster.uuid`*:: + -- -This key is used to capture the Start time mentioned in a session in a standard form +UUID of the cluster -type: date +type: keyword + +example: GmvrbHlNTiSVYiPf8kxg9g -- -*`rsa.time.month`*:: +*`elasticsearch.cluster.name`*:: + -- +Name of the cluster + type: keyword +example: docker-cluster + -- -*`rsa.time.day`*:: +*`elasticsearch.node.id`*:: + -- +ID of the node + type: keyword +example: DSiWcTyeThWtUXLB9J0BMw + -- -*`rsa.time.endtime`*:: +*`elasticsearch.node.name`*:: + -- -This key is used to capture the End time mentioned in a session in a standard form +Name of the node -type: date +type: keyword + +example: vWNJsZ3 -- -*`rsa.time.timezone`*:: +*`elasticsearch.index.name`*:: + -- -This key is used to capture the timezone of the Event Time +Index name type: keyword +example: filebeat-test-input + -- -*`rsa.time.duration_str`*:: +*`elasticsearch.index.id`*:: + -- -A text string version of the duration +Index id type: keyword +example: aOGgDwbURfCV57AScqbCgw + -- -*`rsa.time.date`*:: +*`elasticsearch.shard.id`*:: + -- +Id of the shard + type: keyword --- +example: 0 -*`rsa.time.year`*:: -+ -- -type: keyword --- -*`rsa.time.recorded_time`*:: +*`elasticsearch.audit.layer`*:: + -- -The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. +The layer from which this event originated: rest, transport or ip_filter -type: date +type: keyword + +example: rest -- -*`rsa.time.datetime`*:: +*`elasticsearch.audit.event_type`*:: + -- +The type of event that occurred: anonymous_access_denied, authentication_failed, access_denied, access_granted, connection_granted, connection_denied, tampered_request, run_as_granted, run_as_denied + type: keyword +example: access_granted + -- -*`rsa.time.effective_time`*:: +*`elasticsearch.audit.origin.type`*:: + -- -This key is the effective time referenced by an individual event in a Standard Timestamp format +Where the request originated: rest (request originated from a REST API request), transport (request was received on the transport channel), local_node (the local node issued the request) -type: date +type: keyword + +example: local_node -- -*`rsa.time.expire_time`*:: +*`elasticsearch.audit.realm`*:: + -- -This key is the timestamp that explicitly refers to an expiration. +The authentication realm the authentication was validated against -type: date +type: keyword -- -*`rsa.time.process_time`*:: +*`elasticsearch.audit.user.realm`*:: + -- -Deprecated, use duration.time +The user's authentication realm, if authenticated type: keyword -- -*`rsa.time.hour`*:: +*`elasticsearch.audit.user.roles`*:: + -- +Roles to which the principal belongs + type: keyword +example: ['kibana_admin', 'beats_admin'] + -- -*`rsa.time.min`*:: +*`elasticsearch.audit.user.run_as.name`*:: + -- type: keyword -- -*`rsa.time.timestamp`*:: +*`elasticsearch.audit.user.run_as.realm`*:: + -- type: keyword -- -*`rsa.time.event_queue_time`*:: +*`elasticsearch.audit.component`*:: + -- -This key is the Time that the event was queued. - -type: date +type: keyword -- -*`rsa.time.p_time1`*:: +*`elasticsearch.audit.action`*:: + -- +The name of the action that was executed + type: keyword +example: cluster:monitor/main + -- -*`rsa.time.tzone`*:: +*`elasticsearch.audit.url.params`*:: + -- -type: keyword +REST URI parameters + +example: {username=jacknich2} -- -*`rsa.time.eventtime`*:: +*`elasticsearch.audit.indices`*:: + -- +Indices accessed by action + type: keyword +example: ['foo-2019.01.04', 'foo-2019.01.03', 'foo-2019.01.06'] + -- -*`rsa.time.gmtdate`*:: +*`elasticsearch.audit.request.id`*:: + -- +Unique ID of request + type: keyword +example: WzL_kb6VSvOhAq0twPvHOQ + -- -*`rsa.time.gmttime`*:: +*`elasticsearch.audit.request.name`*:: + -- +The type of request that was executed + type: keyword +example: ClearScrollRequest + -- -*`rsa.time.p_date`*:: +*`elasticsearch.audit.request_body`*:: + -- -type: keyword +type: alias + +alias to: http.request.body.content -- -*`rsa.time.p_month`*:: +*`elasticsearch.audit.origin_address`*:: + -- -type: keyword +type: alias + +alias to: source.ip -- -*`rsa.time.p_time`*:: +*`elasticsearch.audit.uri`*:: + -- -type: keyword +type: alias + +alias to: url.original -- -*`rsa.time.p_time2`*:: +*`elasticsearch.audit.principal`*:: + -- -type: keyword +type: alias + +alias to: user.name -- -*`rsa.time.p_year`*:: +*`elasticsearch.audit.message`*:: + -- -type: keyword +type: text -- -*`rsa.time.expire_time_str`*:: +*`elasticsearch.audit.invalidate.apikeys.owned_by_authenticated_user`*:: + -- -This key is used to capture incomplete timestamp that explicitly refers to an expiration. - -type: keyword +type: boolean -- -*`rsa.time.stamp`*:: -+ --- -Deprecated key defined only in table map. +[float] +=== deprecation -type: date --- +[float] +=== gc -*`rsa.misc.action`*:: +GC fileset fields. + + + +[float] +=== phase + +Fields specific to GC phase. + + + +*`elasticsearch.gc.phase.name`*:: + -- +Name of the GC collection phase. + + type: keyword -- -*`rsa.misc.result`*:: +*`elasticsearch.gc.phase.duration_sec`*:: + -- -This key is used to capture the outcome/result string value of an action in a session. +Collection phase duration according to the Java virtual machine. -type: keyword + +type: float -- -*`rsa.misc.severity`*:: +*`elasticsearch.gc.phase.scrub_symbol_table_time_sec`*:: + -- -This key is used to capture the severity given the session +Pause time in seconds cleaning up symbol tables. -type: keyword + +type: float -- -*`rsa.misc.event_type`*:: +*`elasticsearch.gc.phase.scrub_string_table_time_sec`*:: + -- -This key captures the event category type as specified by the event source. +Pause time in seconds cleaning up string tables. -type: keyword + +type: float -- -*`rsa.misc.reference_id`*:: +*`elasticsearch.gc.phase.weak_refs_processing_time_sec`*:: + -- -This key is used to capture an event id from the session directly +Time spent processing weak references in seconds. -type: keyword + +type: float -- -*`rsa.misc.version`*:: +*`elasticsearch.gc.phase.parallel_rescan_time_sec`*:: + -- -This key captures Version of the application or OS which is generating the event. +Time spent in seconds marking live objects while application is stopped. -type: keyword + +type: float -- -*`rsa.misc.disposition`*:: +*`elasticsearch.gc.phase.class_unload_time_sec`*:: + -- -This key captures the The end state of an action. +Time spent unloading unused classes in seconds. -type: keyword + +type: float -- -*`rsa.misc.result_code`*:: +[float] +=== cpu_time + +Process CPU time spent performing collections. + + + +*`elasticsearch.gc.phase.cpu_time.user_sec`*:: + -- -This key is used to capture the outcome/result numeric value of an action in a session +CPU time spent outside the kernel. -type: keyword + +type: float -- -*`rsa.misc.category`*:: +*`elasticsearch.gc.phase.cpu_time.sys_sec`*:: + -- -This key is used to capture the category of an event given by the vendor in the session +CPU time spent inside the kernel. -type: keyword + +type: float -- -*`rsa.misc.obj_name`*:: +*`elasticsearch.gc.phase.cpu_time.real_sec`*:: + -- -This is used to capture name of object +Total elapsed CPU time spent to complete the collection from start to finish. -type: keyword + +type: float -- -*`rsa.misc.obj_type`*:: +*`elasticsearch.gc.jvm_runtime_sec`*:: + -- -This is used to capture type of object +The time from JVM start up in seconds, as a floating point number. -type: keyword + +type: float -- -*`rsa.misc.event_source`*:: +*`elasticsearch.gc.threads_total_stop_time_sec`*:: + -- -This key captures Source of the event that’s not a hostname +Garbage collection threads total stop time seconds. -type: keyword + +type: float -- -*`rsa.misc.log_session_id`*:: +*`elasticsearch.gc.stopping_threads_time_sec`*:: + -- -This key is used to capture a sessionid from the session directly +Time took to stop threads seconds. -type: keyword + +type: float -- -*`rsa.misc.group`*:: +*`elasticsearch.gc.tags`*:: + -- -This key captures the Group Name value +GC logging tags. + type: keyword -- -*`rsa.misc.policy_name`*:: +[float] +=== heap + +Heap allocation and total size. + + + +*`elasticsearch.gc.heap.size_kb`*:: + -- -This key is used to capture the Policy Name only. +Total heap size in kilobytes. -type: keyword + +type: integer -- -*`rsa.misc.rule_name`*:: +*`elasticsearch.gc.heap.used_kb`*:: + -- -This key captures the Rule Name +Used heap in kilobytes. -type: keyword + +type: integer -- -*`rsa.misc.context`*:: +[float] +=== old_gen + +Old generation occupancy and total size. + + + +*`elasticsearch.gc.old_gen.size_kb`*:: + -- -This key captures Information which adds additional context to the event. +Total size of old generation in kilobytes. -type: keyword + +type: integer -- -*`rsa.misc.change_new`*:: +*`elasticsearch.gc.old_gen.used_kb`*:: + -- -This key is used to capture the new values of the attribute that’s changing in a session +Old generation occupancy in kilobytes. -type: keyword + +type: integer -- -*`rsa.misc.space`*:: +[float] +=== young_gen + +Young generation occupancy and total size. + + + +*`elasticsearch.gc.young_gen.size_kb`*:: + -- -type: keyword +Total size of young generation in kilobytes. + + +type: integer -- -*`rsa.misc.client`*:: +*`elasticsearch.gc.young_gen.used_kb`*:: + -- -This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. +Young generation occupancy in kilobytes. -type: keyword + +type: integer -- -*`rsa.misc.msgIdPart1`*:: +[float] +=== server + +Server log file + + +*`elasticsearch.server.stacktrace`*:: + -- -type: keyword +Field is not indexed. -- -*`rsa.misc.msgIdPart2`*:: +[float] +=== gc + +GC log + + +[float] +=== young + +Young GC + + +*`elasticsearch.server.gc.young.one`*:: + -- -type: keyword + + +type: long + +example: -- -*`rsa.misc.change_old`*:: +*`elasticsearch.server.gc.young.two`*:: + -- -This key is used to capture the old value of the attribute that’s changing in a session -type: keyword + +type: long + +example: -- -*`rsa.misc.operation_id`*:: +*`elasticsearch.server.gc.overhead_seq`*:: + -- -An alert number or operation number. The values should be unique and non-repeating. +Sequence number -type: keyword +type: long + +example: 3449992 -- -*`rsa.misc.event_state`*:: +*`elasticsearch.server.gc.collection_duration.ms`*:: + -- -This key captures the current state of the object/item referenced within the event. Describing an on-going event. +Time spent in GC, in milliseconds -type: keyword +type: float + +example: 1600 -- -*`rsa.misc.group_object`*:: +*`elasticsearch.server.gc.observation_duration.ms`*:: + -- -This key captures a collection/grouping of entities. Specific usage +Total time over which collection was observed, in milliseconds -type: keyword +type: float + +example: 1800 -- -*`rsa.misc.node`*:: +[float] +=== slowlog + +Slowlog events from Elasticsearch + + +*`elasticsearch.slowlog.logger`*:: + -- -Common use case is the node name within a cluster. The cluster name is reflected by the host name. +Logger name type: keyword +example: index.search.slowlog.fetch + -- -*`rsa.misc.rule`*:: +*`elasticsearch.slowlog.took`*:: + -- -This key captures the Rule number +Time it took to execute the query type: keyword +example: 300ms + -- -*`rsa.misc.device_name`*:: +*`elasticsearch.slowlog.types`*:: + -- -This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc +Types type: keyword +example: + -- -*`rsa.misc.param`*:: +*`elasticsearch.slowlog.stats`*:: + -- -This key is the parameters passed as part of a command or application, etc. +Stats groups type: keyword +example: group1 + -- -*`rsa.misc.change_attrib`*:: +*`elasticsearch.slowlog.search_type`*:: + -- -This key is used to capture the name of the attribute that’s changing in a session +Search type type: keyword +example: QUERY_THEN_FETCH + -- -*`rsa.misc.event_computer`*:: +*`elasticsearch.slowlog.source_query`*:: + -- -This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. +Slow query type: keyword +example: {"query":{"match_all":{"boost":1.0}}} + -- -*`rsa.misc.reference_id1`*:: +*`elasticsearch.slowlog.extra_source`*:: + -- -This key is for Linked ID to be used as an addition to "reference.id" +Extra source information type: keyword +example: + -- -*`rsa.misc.event_log`*:: +*`elasticsearch.slowlog.total_hits`*:: + -- -This key captures the Name of the event log +Total hits type: keyword +example: 42 + -- -*`rsa.misc.OS`*:: +*`elasticsearch.slowlog.total_shards`*:: + -- -This key captures the Name of the Operating System +Total queried shards type: keyword +example: 22 + -- -*`rsa.misc.terminal`*:: +*`elasticsearch.slowlog.routing`*:: + -- -This key captures the Terminal Names only +Routing type: keyword +example: s01HZ2QBk9jw4gtgaFtn + -- -*`rsa.misc.msgIdPart3`*:: +*`elasticsearch.slowlog.id`*:: + -- +Id + type: keyword +example: + -- -*`rsa.misc.filter`*:: +*`elasticsearch.slowlog.type`*:: + -- -This key captures Filter used to reduce result set +Type type: keyword +example: doc + -- -*`rsa.misc.serial_number`*:: +*`elasticsearch.slowlog.source`*:: + -- -This key is the Serial number associated with a physical asset. +Source of document that was indexed type: keyword -- -*`rsa.misc.checksum`*:: +[[exported-fields-envoyproxy]] +== Envoyproxy fields + +Module for handling logs produced by envoy + + + +[float] +=== envoyproxy + +Fields from envoy proxy logs after normalization + + + +*`envoyproxy.log_type`*:: + -- -This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. +Envoy log type, normally ACCESS + type: keyword -- -*`rsa.misc.event_user`*:: +*`envoyproxy.response_flags`*:: + -- -This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. +Response flags + type: keyword -- -*`rsa.misc.virusname`*:: +*`envoyproxy.upstream_service_time`*:: + -- -This key captures the name of the virus +Upstream service time in nanoseconds -type: keyword + +type: long + +format: duration -- -*`rsa.misc.content_type`*:: +*`envoyproxy.request_id`*:: + -- -This key is used to capture Content Type only. +ID of the request + type: keyword -- -*`rsa.misc.group_id`*:: +*`envoyproxy.authority`*:: + -- -This key captures Group ID Number (related to the group name) +Envoy proxy authority field + type: keyword -- -*`rsa.misc.policy_id`*:: +*`envoyproxy.proxy_type`*:: + -- -This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise +Envoy proxy type, tcp or http + type: keyword -- -*`rsa.misc.vsys`*:: +[[exported-fields-f5]] +== Big-IP Access Policy Manager fields + +f5 fields. + + + +*`network.interface.name`*:: + -- -This key captures Virtual System Name +Name of the network interface where the traffic has been observed. + type: keyword -- -*`rsa.misc.connection_id`*:: + + +*`rsa.internal.msg`*:: + -- -This key captures the Connection ID +This key is used to capture the raw message that comes into the Log Decoder type: keyword -- -*`rsa.misc.reference_id2`*:: +*`rsa.internal.messageid`*:: + -- -This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - type: keyword -- -*`rsa.misc.sensor`*:: +*`rsa.internal.event_desc`*:: + -- -This key captures Name of the sensor. Typically used in IDS/IPS based devices - type: keyword -- -*`rsa.misc.sig_id`*:: +*`rsa.internal.message`*:: + -- -This key captures IDS/IPS Int Signature ID +This key captures the contents of instant messages -type: long +type: keyword -- -*`rsa.misc.port_name`*:: +*`rsa.internal.time`*:: + -- -This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. -type: keyword +type: date -- -*`rsa.misc.rule_group`*:: +*`rsa.internal.level`*:: + -- -This key captures the Rule group name +Deprecated key defined only in table map. -type: keyword +type: long -- -*`rsa.misc.risk_num`*:: +*`rsa.internal.msg_id`*:: + -- -This key captures a Numeric Risk value +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: double +type: keyword -- -*`rsa.misc.trigger_val`*:: +*`rsa.internal.msg_vid`*:: + -- -This key captures the Value of the trigger or threshold condition. +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.log_session_id1`*:: +*`rsa.internal.data`*:: + -- -This key is used to capture a Linked (Related) Session ID from the session directly +Deprecated key defined only in table map. type: keyword -- -*`rsa.misc.comp_version`*:: +*`rsa.internal.obj_server`*:: + -- -This key captures the Version level of a sub-component of a product. +Deprecated key defined only in table map. type: keyword -- -*`rsa.misc.content_version`*:: +*`rsa.internal.obj_val`*:: + -- -This key captures Version level of a signature or database content. +Deprecated key defined only in table map. type: keyword -- -*`rsa.misc.hardware_id`*:: +*`rsa.internal.resource`*:: + -- -This key is used to capture unique identifier for a device or system (NOT a Mac address) +Deprecated key defined only in table map. type: keyword -- -*`rsa.misc.risk`*:: +*`rsa.internal.obj_id`*:: + -- -This key captures the non-numeric risk value +Deprecated key defined only in table map. type: keyword -- -*`rsa.misc.event_id`*:: +*`rsa.internal.statement`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.reason`*:: +*`rsa.internal.audit_class`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.status`*:: +*`rsa.internal.entry`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.mail_id`*:: +*`rsa.internal.hcode`*:: + -- -This key is used to capture the mailbox id/name +Deprecated key defined only in table map. type: keyword -- -*`rsa.misc.rule_uid`*:: +*`rsa.internal.inode`*:: + -- -This key is the Unique Identifier for a rule. +Deprecated key defined only in table map. -type: keyword +type: long -- -*`rsa.misc.trigger_desc`*:: +*`rsa.internal.resource_class`*:: + -- -This key captures the Description of the trigger or threshold condition. +Deprecated key defined only in table map. type: keyword -- -*`rsa.misc.inout`*:: +*`rsa.internal.dead`*:: + -- -type: keyword +Deprecated key defined only in table map. + +type: long -- -*`rsa.misc.p_msgid`*:: +*`rsa.internal.feed_desc`*:: + -- +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.data_type`*:: +*`rsa.internal.feed_name`*:: + -- +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.msgIdPart4`*:: +*`rsa.internal.cid`*:: + -- +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.error`*:: +*`rsa.internal.device_class`*:: + -- -This key captures All non successful Error codes or responses +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.index`*:: +*`rsa.internal.device_group`*:: + -- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.listnum`*:: +*`rsa.internal.device_host`*:: + -- -This key is used to capture listname or listnumber, primarily for collecting access-list +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.ntype`*:: +*`rsa.internal.device_ip`*:: + -- -type: keyword +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip -- -*`rsa.misc.observed_val`*:: +*`rsa.internal.device_ipv6`*:: + -- -This key captures the Value observed (from the perspective of the device generating the log). +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: ip -- -*`rsa.misc.policy_value`*:: +*`rsa.internal.device_type`*:: + -- -This key captures the contents of the policy. This contains details about the policy +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.pool_name`*:: +*`rsa.internal.device_type_id`*:: + -- -This key captures the name of a resource pool +Deprecated key defined only in table map. -type: keyword +type: long -- -*`rsa.misc.rule_template`*:: +*`rsa.internal.did`*:: + -- -A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.count`*:: +*`rsa.internal.entropy_req`*:: + -- -type: keyword +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long -- -*`rsa.misc.number`*:: +*`rsa.internal.entropy_res`*:: + -- -type: keyword +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long -- -*`rsa.misc.sigcat`*:: +*`rsa.internal.event_name`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.type`*:: +*`rsa.internal.feed_category`*:: + -- +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.comments`*:: +*`rsa.internal.forward_ip`*:: + -- -Comment information provided in the log message +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. -type: keyword +type: ip -- -*`rsa.misc.doc_number`*:: +*`rsa.internal.forward_ipv6`*:: + -- -This key captures File Identification number +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: long +type: ip -- -*`rsa.misc.expected_val`*:: +*`rsa.internal.header_id`*:: + -- -This key captures the Value expected (from the perspective of the device generating the log). +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.job_num`*:: +*`rsa.internal.lc_cid`*:: + -- -This key captures the Job Number +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.spi_dst`*:: +*`rsa.internal.lc_ctime`*:: + -- -Destination SPI Index +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: date -- -*`rsa.misc.spi_src`*:: +*`rsa.internal.mcb_req`*:: + -- -Source SPI Index +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most -type: keyword +type: long -- -*`rsa.misc.code`*:: +*`rsa.internal.mcb_res`*:: + -- -type: keyword +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + +type: long -- -*`rsa.misc.agent_id`*:: +*`rsa.internal.mcbc_req`*:: + -- -This key is used to capture agent id +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams -type: keyword +type: long -- -*`rsa.misc.message_body`*:: +*`rsa.internal.mcbc_res`*:: + -- -This key captures the The contents of the message body. +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams -type: keyword +type: long -- -*`rsa.misc.phone`*:: +*`rsa.internal.medium`*:: + -- -type: keyword +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session + +type: long -- -*`rsa.misc.sig_id_str`*:: +*`rsa.internal.node_name`*:: + -- -This key captures a string object of the sigid variable. +Deprecated key defined only in table map. type: keyword -- -*`rsa.misc.cmd`*:: +*`rsa.internal.nwe_callback_id`*:: + -- +This key denotes that event is endpoint related + type: keyword -- -*`rsa.misc.misc`*:: +*`rsa.internal.parse_error`*:: + -- +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.name`*:: +*`rsa.internal.payload_req`*:: + -- -type: keyword +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long -- -*`rsa.misc.cpu`*:: +*`rsa.internal.payload_res`*:: + -- -This key is the CPU time used in the execution of the event being recorded. +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep type: long -- -*`rsa.misc.event_desc`*:: +*`rsa.internal.process_vid_dst`*:: + -- -This key is used to capture a description of an event available directly or inferred +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. type: keyword -- -*`rsa.misc.sig_id1`*:: +*`rsa.internal.process_vid_src`*:: + -- -This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. -type: long +type: keyword -- -*`rsa.misc.im_buddyid`*:: +*`rsa.internal.rid`*:: + -- -type: keyword +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long -- -*`rsa.misc.im_client`*:: +*`rsa.internal.session_split`*:: + -- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.im_userid`*:: +*`rsa.internal.site`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.pid`*:: +*`rsa.internal.size`*:: + -- -type: keyword +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long -- -*`rsa.misc.priority`*:: +*`rsa.internal.sourcefile`*:: + -- +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.context_subject`*:: +*`rsa.internal.ubc_req`*:: + -- -This key is to be used in an audit context where the subject is the object being identified +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once -type: keyword +type: long -- -*`rsa.misc.context_target`*:: +*`rsa.internal.ubc_res`*:: + -- -type: keyword +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long -- -*`rsa.misc.cve`*:: +*`rsa.internal.word`*:: + -- -This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log type: keyword -- -*`rsa.misc.fcatnum`*:: + +*`rsa.time.event_time`*:: + -- -This key captures Filter Category Number. Legacy Usage +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form -type: keyword +type: date -- -*`rsa.misc.library`*:: +*`rsa.time.duration_time`*:: + -- -This key is used to capture library information in mainframe devices +This key is used to capture the normalized duration/lifetime in seconds. -type: keyword +type: double -- -*`rsa.misc.parent_node`*:: +*`rsa.time.event_time_str`*:: + -- -This key captures the Parent Node Name. Must be related to node variable. +This key is used to capture the incomplete time mentioned in a session as a string type: keyword -- -*`rsa.misc.risk_info`*:: +*`rsa.time.starttime`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) +This key is used to capture the Start time mentioned in a session in a standard form -type: keyword +type: date -- -*`rsa.misc.tcp_flags`*:: +*`rsa.time.month`*:: + -- -This key is captures the TCP flags set in any packet of session - -type: long +type: keyword -- -*`rsa.misc.tos`*:: +*`rsa.time.day`*:: + -- -This key describes the type of service - -type: long +type: keyword -- -*`rsa.misc.vm_target`*:: +*`rsa.time.endtime`*:: + -- -VMWare Target **VMWARE** only varaible. +This key is used to capture the End time mentioned in a session in a standard form -type: keyword +type: date -- -*`rsa.misc.workspace`*:: +*`rsa.time.timezone`*:: + -- -This key captures Workspace Description +This key is used to capture the timezone of the Event Time type: keyword -- -*`rsa.misc.command`*:: +*`rsa.time.duration_str`*:: + -- +A text string version of the duration + type: keyword -- -*`rsa.misc.event_category`*:: +*`rsa.time.date`*:: + -- type: keyword -- -*`rsa.misc.facilityname`*:: +*`rsa.time.year`*:: + -- type: keyword -- -*`rsa.misc.forensic_info`*:: +*`rsa.time.recorded_time`*:: + -- -type: keyword +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + +type: date -- -*`rsa.misc.jobname`*:: +*`rsa.time.datetime`*:: + -- type: keyword -- -*`rsa.misc.mode`*:: +*`rsa.time.effective_time`*:: + -- -type: keyword +This key is the effective time referenced by an individual event in a Standard Timestamp format + +type: date -- -*`rsa.misc.policy`*:: +*`rsa.time.expire_time`*:: + -- -type: keyword +This key is the timestamp that explicitly refers to an expiration. + +type: date -- -*`rsa.misc.policy_waiver`*:: +*`rsa.time.process_time`*:: + -- +Deprecated, use duration.time + type: keyword -- -*`rsa.misc.second`*:: +*`rsa.time.hour`*:: + -- type: keyword -- -*`rsa.misc.space1`*:: +*`rsa.time.min`*:: + -- type: keyword -- -*`rsa.misc.subcategory`*:: +*`rsa.time.timestamp`*:: + -- type: keyword -- -*`rsa.misc.tbdstr2`*:: +*`rsa.time.event_queue_time`*:: + -- -type: keyword +This key is the Time that the event was queued. + +type: date -- -*`rsa.misc.alert_id`*:: +*`rsa.time.p_time1`*:: + -- -Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - type: keyword -- -*`rsa.misc.checksum_dst`*:: +*`rsa.time.tzone`*:: + -- -This key is used to capture the checksum or hash of the the target entity such as a process or file. - type: keyword -- -*`rsa.misc.checksum_src`*:: +*`rsa.time.eventtime`*:: + -- -This key is used to capture the checksum or hash of the source entity such as a file or process. - type: keyword -- -*`rsa.misc.fresult`*:: +*`rsa.time.gmtdate`*:: + -- -This key captures the Filter Result - -type: long +type: keyword -- -*`rsa.misc.payload_dst`*:: +*`rsa.time.gmttime`*:: + -- -This key is used to capture destination payload - type: keyword -- -*`rsa.misc.payload_src`*:: +*`rsa.time.p_date`*:: + -- -This key is used to capture source payload - type: keyword -- -*`rsa.misc.pool_id`*:: +*`rsa.time.p_month`*:: + -- -This key captures the identifier (typically numeric field) of a resource pool - type: keyword -- -*`rsa.misc.process_id_val`*:: +*`rsa.time.p_time`*:: + -- -This key is a failure key for Process ID when it is not an integer value - type: keyword -- -*`rsa.misc.risk_num_comm`*:: +*`rsa.time.p_time2`*:: + -- -This key captures Risk Number Community - -type: double +type: keyword -- -*`rsa.misc.risk_num_next`*:: +*`rsa.time.p_year`*:: + -- -This key captures Risk Number NextGen - -type: double +type: keyword -- -*`rsa.misc.risk_num_sand`*:: +*`rsa.time.expire_time_str`*:: + -- -This key captures Risk Number SandBox +This key is used to capture incomplete timestamp that explicitly refers to an expiration. -type: double +type: keyword -- -*`rsa.misc.risk_num_static`*:: +*`rsa.time.stamp`*:: + -- -This key captures Risk Number Static +Deprecated key defined only in table map. -type: double +type: date -- -*`rsa.misc.risk_suspicious`*:: + +*`rsa.misc.action`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - type: keyword -- -*`rsa.misc.risk_warning`*:: +*`rsa.misc.result`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) +This key is used to capture the outcome/result string value of an action in a session. type: keyword -- -*`rsa.misc.snmp_oid`*:: +*`rsa.misc.severity`*:: + -- -SNMP Object Identifier +This key is used to capture the severity given the session type: keyword -- -*`rsa.misc.sql`*:: +*`rsa.misc.event_type`*:: + -- -This key captures the SQL query +This key captures the event category type as specified by the event source. type: keyword -- -*`rsa.misc.vuln_ref`*:: +*`rsa.misc.reference_id`*:: + -- -This key captures the Vulnerability Reference details +This key is used to capture an event id from the session directly type: keyword -- -*`rsa.misc.acl_id`*:: +*`rsa.misc.version`*:: + -- +This key captures Version of the application or OS which is generating the event. + type: keyword -- -*`rsa.misc.acl_op`*:: +*`rsa.misc.disposition`*:: + -- +This key captures the The end state of an action. + type: keyword -- -*`rsa.misc.acl_pos`*:: +*`rsa.misc.result_code`*:: + -- +This key is used to capture the outcome/result numeric value of an action in a session + type: keyword -- -*`rsa.misc.acl_table`*:: +*`rsa.misc.category`*:: + -- +This key is used to capture the category of an event given by the vendor in the session + type: keyword -- -*`rsa.misc.admin`*:: +*`rsa.misc.obj_name`*:: + -- +This is used to capture name of object + type: keyword -- -*`rsa.misc.alarm_id`*:: +*`rsa.misc.obj_type`*:: + -- +This is used to capture type of object + type: keyword -- -*`rsa.misc.alarmname`*:: +*`rsa.misc.event_source`*:: + -- +This key captures Source of the event that’s not a hostname + type: keyword -- -*`rsa.misc.app_id`*:: +*`rsa.misc.log_session_id`*:: + -- +This key is used to capture a sessionid from the session directly + type: keyword -- -*`rsa.misc.audit`*:: +*`rsa.misc.group`*:: + -- +This key captures the Group Name value + type: keyword -- -*`rsa.misc.audit_object`*:: +*`rsa.misc.policy_name`*:: + -- +This key is used to capture the Policy Name only. + type: keyword -- -*`rsa.misc.auditdata`*:: +*`rsa.misc.rule_name`*:: + -- +This key captures the Rule Name + type: keyword -- -*`rsa.misc.benchmark`*:: +*`rsa.misc.context`*:: + -- +This key captures Information which adds additional context to the event. + type: keyword -- -*`rsa.misc.bypass`*:: +*`rsa.misc.change_new`*:: + -- +This key is used to capture the new values of the attribute that’s changing in a session + type: keyword -- -*`rsa.misc.cache`*:: +*`rsa.misc.space`*:: + -- type: keyword -- -*`rsa.misc.cache_hit`*:: +*`rsa.misc.client`*:: + -- +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + type: keyword -- -*`rsa.misc.cefversion`*:: +*`rsa.misc.msgIdPart1`*:: + -- type: keyword -- -*`rsa.misc.cfg_attr`*:: +*`rsa.misc.msgIdPart2`*:: + -- type: keyword -- -*`rsa.misc.cfg_obj`*:: +*`rsa.misc.change_old`*:: + -- +This key is used to capture the old value of the attribute that’s changing in a session + type: keyword -- -*`rsa.misc.cfg_path`*:: +*`rsa.misc.operation_id`*:: + -- +An alert number or operation number. The values should be unique and non-repeating. + type: keyword -- -*`rsa.misc.changes`*:: +*`rsa.misc.event_state`*:: + -- +This key captures the current state of the object/item referenced within the event. Describing an on-going event. + type: keyword -- -*`rsa.misc.client_ip`*:: +*`rsa.misc.group_object`*:: + -- +This key captures a collection/grouping of entities. Specific usage + type: keyword -- -*`rsa.misc.clustermembers`*:: +*`rsa.misc.node`*:: + -- +Common use case is the node name within a cluster. The cluster name is reflected by the host name. + type: keyword -- -*`rsa.misc.cn_acttimeout`*:: +*`rsa.misc.rule`*:: + -- +This key captures the Rule number + type: keyword -- -*`rsa.misc.cn_asn_src`*:: +*`rsa.misc.device_name`*:: + -- +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc + type: keyword -- -*`rsa.misc.cn_bgpv4nxthop`*:: +*`rsa.misc.param`*:: + -- +This key is the parameters passed as part of a command or application, etc. + type: keyword -- -*`rsa.misc.cn_ctr_dst_code`*:: +*`rsa.misc.change_attrib`*:: + -- +This key is used to capture the name of the attribute that’s changing in a session + type: keyword -- -*`rsa.misc.cn_dst_tos`*:: +*`rsa.misc.event_computer`*:: + -- +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + type: keyword -- -*`rsa.misc.cn_dst_vlan`*:: +*`rsa.misc.reference_id1`*:: + -- +This key is for Linked ID to be used as an addition to "reference.id" + type: keyword -- -*`rsa.misc.cn_engine_id`*:: +*`rsa.misc.event_log`*:: + -- +This key captures the Name of the event log + type: keyword -- -*`rsa.misc.cn_engine_type`*:: +*`rsa.misc.OS`*:: + -- +This key captures the Name of the Operating System + type: keyword -- -*`rsa.misc.cn_f_switch`*:: +*`rsa.misc.terminal`*:: + -- +This key captures the Terminal Names only + type: keyword -- -*`rsa.misc.cn_flowsampid`*:: +*`rsa.misc.msgIdPart3`*:: + -- type: keyword -- -*`rsa.misc.cn_flowsampintv`*:: +*`rsa.misc.filter`*:: + -- +This key captures Filter used to reduce result set + type: keyword -- -*`rsa.misc.cn_flowsampmode`*:: +*`rsa.misc.serial_number`*:: + -- +This key is the Serial number associated with a physical asset. + type: keyword -- -*`rsa.misc.cn_inacttimeout`*:: +*`rsa.misc.checksum`*:: + -- +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + type: keyword -- -*`rsa.misc.cn_inpermbyts`*:: +*`rsa.misc.event_user`*:: + -- +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + type: keyword -- -*`rsa.misc.cn_inpermpckts`*:: +*`rsa.misc.virusname`*:: + -- +This key captures the name of the virus + type: keyword -- -*`rsa.misc.cn_invalid`*:: +*`rsa.misc.content_type`*:: + -- +This key is used to capture Content Type only. + type: keyword -- -*`rsa.misc.cn_ip_proto_ver`*:: +*`rsa.misc.group_id`*:: + -- +This key captures Group ID Number (related to the group name) + type: keyword -- -*`rsa.misc.cn_ipv4_ident`*:: +*`rsa.misc.policy_id`*:: + -- +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + type: keyword -- -*`rsa.misc.cn_l_switch`*:: +*`rsa.misc.vsys`*:: + -- +This key captures Virtual System Name + type: keyword -- -*`rsa.misc.cn_log_did`*:: +*`rsa.misc.connection_id`*:: + -- +This key captures the Connection ID + type: keyword -- -*`rsa.misc.cn_log_rid`*:: +*`rsa.misc.reference_id2`*:: + -- +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + type: keyword -- -*`rsa.misc.cn_max_ttl`*:: +*`rsa.misc.sensor`*:: + -- +This key captures Name of the sensor. Typically used in IDS/IPS based devices + type: keyword -- -*`rsa.misc.cn_maxpcktlen`*:: +*`rsa.misc.sig_id`*:: + -- -type: keyword +This key captures IDS/IPS Int Signature ID + +type: long -- -*`rsa.misc.cn_min_ttl`*:: +*`rsa.misc.port_name`*:: + -- +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). + type: keyword -- -*`rsa.misc.cn_minpcktlen`*:: +*`rsa.misc.rule_group`*:: + -- +This key captures the Rule group name + type: keyword -- -*`rsa.misc.cn_mpls_lbl_1`*:: +*`rsa.misc.risk_num`*:: + -- -type: keyword +This key captures a Numeric Risk value + +type: double -- -*`rsa.misc.cn_mpls_lbl_10`*:: +*`rsa.misc.trigger_val`*:: + -- +This key captures the Value of the trigger or threshold condition. + type: keyword -- -*`rsa.misc.cn_mpls_lbl_2`*:: +*`rsa.misc.log_session_id1`*:: + -- +This key is used to capture a Linked (Related) Session ID from the session directly + type: keyword -- -*`rsa.misc.cn_mpls_lbl_3`*:: +*`rsa.misc.comp_version`*:: + -- +This key captures the Version level of a sub-component of a product. + type: keyword -- -*`rsa.misc.cn_mpls_lbl_4`*:: +*`rsa.misc.content_version`*:: + -- +This key captures Version level of a signature or database content. + type: keyword -- -*`rsa.misc.cn_mpls_lbl_5`*:: +*`rsa.misc.hardware_id`*:: + -- +This key is used to capture unique identifier for a device or system (NOT a Mac address) + type: keyword -- -*`rsa.misc.cn_mpls_lbl_6`*:: +*`rsa.misc.risk`*:: + -- +This key captures the non-numeric risk value + type: keyword -- -*`rsa.misc.cn_mpls_lbl_7`*:: +*`rsa.misc.event_id`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_8`*:: +*`rsa.misc.reason`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_9`*:: +*`rsa.misc.status`*:: + -- type: keyword -- -*`rsa.misc.cn_mplstoplabel`*:: +*`rsa.misc.mail_id`*:: + -- +This key is used to capture the mailbox id/name + type: keyword -- -*`rsa.misc.cn_mplstoplabip`*:: +*`rsa.misc.rule_uid`*:: + -- +This key is the Unique Identifier for a rule. + type: keyword -- -*`rsa.misc.cn_mul_dst_byt`*:: +*`rsa.misc.trigger_desc`*:: + -- +This key captures the Description of the trigger or threshold condition. + type: keyword -- -*`rsa.misc.cn_mul_dst_pks`*:: +*`rsa.misc.inout`*:: + -- type: keyword -- -*`rsa.misc.cn_muligmptype`*:: +*`rsa.misc.p_msgid`*:: + -- type: keyword -- -*`rsa.misc.cn_sampalgo`*:: +*`rsa.misc.data_type`*:: + -- type: keyword -- -*`rsa.misc.cn_sampint`*:: +*`rsa.misc.msgIdPart4`*:: + -- type: keyword -- -*`rsa.misc.cn_seqctr`*:: +*`rsa.misc.error`*:: + -- +This key captures All non successful Error codes or responses + type: keyword -- -*`rsa.misc.cn_spackets`*:: +*`rsa.misc.index`*:: + -- type: keyword -- -*`rsa.misc.cn_src_tos`*:: +*`rsa.misc.listnum`*:: + -- +This key is used to capture listname or listnumber, primarily for collecting access-list + type: keyword -- -*`rsa.misc.cn_src_vlan`*:: +*`rsa.misc.ntype`*:: + -- type: keyword -- -*`rsa.misc.cn_sysuptime`*:: +*`rsa.misc.observed_val`*:: + -- +This key captures the Value observed (from the perspective of the device generating the log). + type: keyword -- -*`rsa.misc.cn_template_id`*:: +*`rsa.misc.policy_value`*:: + -- +This key captures the contents of the policy. This contains details about the policy + type: keyword -- -*`rsa.misc.cn_totbytsexp`*:: +*`rsa.misc.pool_name`*:: + -- +This key captures the name of a resource pool + type: keyword -- -*`rsa.misc.cn_totflowexp`*:: +*`rsa.misc.rule_template`*:: + -- +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + type: keyword -- -*`rsa.misc.cn_totpcktsexp`*:: +*`rsa.misc.count`*:: + -- type: keyword -- -*`rsa.misc.cn_unixnanosecs`*:: +*`rsa.misc.number`*:: + -- type: keyword -- -*`rsa.misc.cn_v6flowlabel`*:: +*`rsa.misc.sigcat`*:: + -- type: keyword -- -*`rsa.misc.cn_v6optheaders`*:: +*`rsa.misc.type`*:: + -- type: keyword -- -*`rsa.misc.comp_class`*:: +*`rsa.misc.comments`*:: + -- +Comment information provided in the log message + type: keyword -- -*`rsa.misc.comp_name`*:: +*`rsa.misc.doc_number`*:: + -- -type: keyword +This key captures File Identification number + +type: long -- -*`rsa.misc.comp_rbytes`*:: +*`rsa.misc.expected_val`*:: + -- +This key captures the Value expected (from the perspective of the device generating the log). + type: keyword -- -*`rsa.misc.comp_sbytes`*:: +*`rsa.misc.job_num`*:: + -- +This key captures the Job Number + type: keyword -- -*`rsa.misc.cpu_data`*:: +*`rsa.misc.spi_dst`*:: + -- +Destination SPI Index + type: keyword -- -*`rsa.misc.criticality`*:: +*`rsa.misc.spi_src`*:: + -- +Source SPI Index + type: keyword -- -*`rsa.misc.cs_agency_dst`*:: +*`rsa.misc.code`*:: + -- type: keyword -- -*`rsa.misc.cs_analyzedby`*:: +*`rsa.misc.agent_id`*:: + -- +This key is used to capture agent id + type: keyword -- -*`rsa.misc.cs_av_other`*:: +*`rsa.misc.message_body`*:: + -- +This key captures the The contents of the message body. + type: keyword -- -*`rsa.misc.cs_av_primary`*:: +*`rsa.misc.phone`*:: + -- type: keyword -- -*`rsa.misc.cs_av_secondary`*:: +*`rsa.misc.sig_id_str`*:: + -- +This key captures a string object of the sigid variable. + type: keyword -- -*`rsa.misc.cs_bgpv6nxthop`*:: +*`rsa.misc.cmd`*:: + -- type: keyword -- -*`rsa.misc.cs_bit9status`*:: +*`rsa.misc.misc`*:: + -- type: keyword -- -*`rsa.misc.cs_context`*:: +*`rsa.misc.name`*:: + -- type: keyword -- -*`rsa.misc.cs_control`*:: +*`rsa.misc.cpu`*:: + -- -type: keyword +This key is the CPU time used in the execution of the event being recorded. + +type: long -- -*`rsa.misc.cs_data`*:: +*`rsa.misc.event_desc`*:: + -- +This key is used to capture a description of an event available directly or inferred + type: keyword -- -*`rsa.misc.cs_datecret`*:: +*`rsa.misc.sig_id1`*:: + -- -type: keyword +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + +type: long -- -*`rsa.misc.cs_dst_tld`*:: +*`rsa.misc.im_buddyid`*:: + -- type: keyword -- -*`rsa.misc.cs_eth_dst_ven`*:: +*`rsa.misc.im_client`*:: + -- type: keyword -- -*`rsa.misc.cs_eth_src_ven`*:: +*`rsa.misc.im_userid`*:: + -- type: keyword -- -*`rsa.misc.cs_event_uuid`*:: +*`rsa.misc.pid`*:: + -- type: keyword -- -*`rsa.misc.cs_filetype`*:: +*`rsa.misc.priority`*:: + -- type: keyword -- -*`rsa.misc.cs_fld`*:: +*`rsa.misc.context_subject`*:: + -- +This key is to be used in an audit context where the subject is the object being identified + type: keyword -- -*`rsa.misc.cs_if_desc`*:: +*`rsa.misc.context_target`*:: + -- type: keyword -- -*`rsa.misc.cs_if_name`*:: +*`rsa.misc.cve`*:: + -- +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + type: keyword -- -*`rsa.misc.cs_ip_next_hop`*:: +*`rsa.misc.fcatnum`*:: + -- +This key captures Filter Category Number. Legacy Usage + type: keyword -- -*`rsa.misc.cs_ipv4dstpre`*:: +*`rsa.misc.library`*:: + -- +This key is used to capture library information in mainframe devices + type: keyword -- -*`rsa.misc.cs_ipv4srcpre`*:: +*`rsa.misc.parent_node`*:: + -- +This key captures the Parent Node Name. Must be related to node variable. + type: keyword -- -*`rsa.misc.cs_lifetime`*:: +*`rsa.misc.risk_info`*:: + -- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + type: keyword -- -*`rsa.misc.cs_log_medium`*:: +*`rsa.misc.tcp_flags`*:: + -- -type: keyword +This key is captures the TCP flags set in any packet of session + +type: long -- -*`rsa.misc.cs_loginname`*:: +*`rsa.misc.tos`*:: + -- -type: keyword +This key describes the type of service + +type: long -- -*`rsa.misc.cs_modulescore`*:: +*`rsa.misc.vm_target`*:: + -- +VMWare Target **VMWARE** only varaible. + type: keyword -- -*`rsa.misc.cs_modulesign`*:: +*`rsa.misc.workspace`*:: + -- +This key captures Workspace Description + type: keyword -- -*`rsa.misc.cs_opswatresult`*:: +*`rsa.misc.command`*:: + -- type: keyword -- -*`rsa.misc.cs_payload`*:: +*`rsa.misc.event_category`*:: + -- type: keyword -- -*`rsa.misc.cs_registrant`*:: +*`rsa.misc.facilityname`*:: + -- type: keyword -- -*`rsa.misc.cs_registrar`*:: +*`rsa.misc.forensic_info`*:: + -- type: keyword -- -*`rsa.misc.cs_represult`*:: +*`rsa.misc.jobname`*:: + -- type: keyword -- -*`rsa.misc.cs_rpayload`*:: +*`rsa.misc.mode`*:: + -- type: keyword -- -*`rsa.misc.cs_sampler_name`*:: +*`rsa.misc.policy`*:: + -- type: keyword -- -*`rsa.misc.cs_sourcemodule`*:: +*`rsa.misc.policy_waiver`*:: + -- type: keyword -- -*`rsa.misc.cs_streams`*:: +*`rsa.misc.second`*:: + -- type: keyword -- -*`rsa.misc.cs_targetmodule`*:: +*`rsa.misc.space1`*:: + -- type: keyword -- -*`rsa.misc.cs_v6nxthop`*:: +*`rsa.misc.subcategory`*:: + -- type: keyword -- -*`rsa.misc.cs_whois_server`*:: +*`rsa.misc.tbdstr2`*:: + -- type: keyword -- -*`rsa.misc.cs_yararesult`*:: +*`rsa.misc.alert_id`*:: + -- +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + type: keyword -- -*`rsa.misc.description`*:: +*`rsa.misc.checksum_dst`*:: + -- +This key is used to capture the checksum or hash of the the target entity such as a process or file. + type: keyword -- -*`rsa.misc.devvendor`*:: +*`rsa.misc.checksum_src`*:: + -- +This key is used to capture the checksum or hash of the source entity such as a file or process. + type: keyword -- -*`rsa.misc.distance`*:: +*`rsa.misc.fresult`*:: + -- -type: keyword +This key captures the Filter Result + +type: long -- -*`rsa.misc.dstburb`*:: +*`rsa.misc.payload_dst`*:: + -- +This key is used to capture destination payload + type: keyword -- -*`rsa.misc.edomain`*:: +*`rsa.misc.payload_src`*:: + -- +This key is used to capture source payload + type: keyword -- -*`rsa.misc.edomaub`*:: +*`rsa.misc.pool_id`*:: + -- +This key captures the identifier (typically numeric field) of a resource pool + type: keyword -- -*`rsa.misc.euid`*:: +*`rsa.misc.process_id_val`*:: + -- +This key is a failure key for Process ID when it is not an integer value + type: keyword -- -*`rsa.misc.facility`*:: +*`rsa.misc.risk_num_comm`*:: + -- -type: keyword +This key captures Risk Number Community + +type: double -- -*`rsa.misc.finterface`*:: +*`rsa.misc.risk_num_next`*:: + -- -type: keyword +This key captures Risk Number NextGen + +type: double -- -*`rsa.misc.flags`*:: +*`rsa.misc.risk_num_sand`*:: + -- -type: keyword +This key captures Risk Number SandBox + +type: double -- -*`rsa.misc.gaddr`*:: +*`rsa.misc.risk_num_static`*:: + -- -type: keyword +This key captures Risk Number Static + +type: double -- -*`rsa.misc.id3`*:: +*`rsa.misc.risk_suspicious`*:: + -- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + type: keyword -- -*`rsa.misc.im_buddyname`*:: +*`rsa.misc.risk_warning`*:: + -- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + type: keyword -- -*`rsa.misc.im_croomid`*:: +*`rsa.misc.snmp_oid`*:: + -- +SNMP Object Identifier + type: keyword -- -*`rsa.misc.im_croomtype`*:: +*`rsa.misc.sql`*:: + -- +This key captures the SQL query + type: keyword -- -*`rsa.misc.im_members`*:: +*`rsa.misc.vuln_ref`*:: + -- +This key captures the Vulnerability Reference details + type: keyword -- -*`rsa.misc.im_username`*:: +*`rsa.misc.acl_id`*:: + -- type: keyword -- -*`rsa.misc.ipkt`*:: +*`rsa.misc.acl_op`*:: + -- type: keyword -- -*`rsa.misc.ipscat`*:: +*`rsa.misc.acl_pos`*:: + -- type: keyword -- -*`rsa.misc.ipspri`*:: +*`rsa.misc.acl_table`*:: + -- type: keyword -- -*`rsa.misc.latitude`*:: +*`rsa.misc.admin`*:: + -- type: keyword -- -*`rsa.misc.linenum`*:: +*`rsa.misc.alarm_id`*:: + -- type: keyword -- -*`rsa.misc.list_name`*:: +*`rsa.misc.alarmname`*:: + -- type: keyword -- -*`rsa.misc.load_data`*:: +*`rsa.misc.app_id`*:: + -- type: keyword -- -*`rsa.misc.location_floor`*:: +*`rsa.misc.audit`*:: + -- type: keyword -- -*`rsa.misc.location_mark`*:: +*`rsa.misc.audit_object`*:: + -- type: keyword -- -*`rsa.misc.log_id`*:: +*`rsa.misc.auditdata`*:: + -- type: keyword -- -*`rsa.misc.log_type`*:: +*`rsa.misc.benchmark`*:: + -- type: keyword -- -*`rsa.misc.logid`*:: +*`rsa.misc.bypass`*:: + -- type: keyword -- -*`rsa.misc.logip`*:: +*`rsa.misc.cache`*:: + -- type: keyword -- -*`rsa.misc.logname`*:: +*`rsa.misc.cache_hit`*:: + -- type: keyword -- -*`rsa.misc.longitude`*:: +*`rsa.misc.cefversion`*:: + -- type: keyword -- -*`rsa.misc.lport`*:: +*`rsa.misc.cfg_attr`*:: + -- type: keyword -- -*`rsa.misc.mbug_data`*:: +*`rsa.misc.cfg_obj`*:: + -- type: keyword -- -*`rsa.misc.misc_name`*:: +*`rsa.misc.cfg_path`*:: + -- type: keyword -- -*`rsa.misc.msg_type`*:: +*`rsa.misc.changes`*:: + -- type: keyword -- -*`rsa.misc.msgid`*:: +*`rsa.misc.client_ip`*:: + -- type: keyword -- -*`rsa.misc.netsessid`*:: +*`rsa.misc.clustermembers`*:: + -- type: keyword -- -*`rsa.misc.num`*:: +*`rsa.misc.cn_acttimeout`*:: + -- type: keyword -- -*`rsa.misc.number1`*:: +*`rsa.misc.cn_asn_src`*:: + -- type: keyword -- -*`rsa.misc.number2`*:: +*`rsa.misc.cn_bgpv4nxthop`*:: + -- type: keyword -- -*`rsa.misc.nwwn`*:: +*`rsa.misc.cn_ctr_dst_code`*:: + -- type: keyword -- -*`rsa.misc.object`*:: +*`rsa.misc.cn_dst_tos`*:: + -- type: keyword -- -*`rsa.misc.operation`*:: +*`rsa.misc.cn_dst_vlan`*:: + -- type: keyword -- -*`rsa.misc.opkt`*:: +*`rsa.misc.cn_engine_id`*:: + -- type: keyword -- -*`rsa.misc.orig_from`*:: +*`rsa.misc.cn_engine_type`*:: + -- type: keyword -- -*`rsa.misc.owner_id`*:: +*`rsa.misc.cn_f_switch`*:: + -- type: keyword -- -*`rsa.misc.p_action`*:: +*`rsa.misc.cn_flowsampid`*:: + -- type: keyword -- -*`rsa.misc.p_filter`*:: +*`rsa.misc.cn_flowsampintv`*:: + -- type: keyword -- -*`rsa.misc.p_group_object`*:: +*`rsa.misc.cn_flowsampmode`*:: + -- type: keyword -- -*`rsa.misc.p_id`*:: +*`rsa.misc.cn_inacttimeout`*:: + -- type: keyword -- -*`rsa.misc.p_msgid1`*:: +*`rsa.misc.cn_inpermbyts`*:: + -- type: keyword -- -*`rsa.misc.p_msgid2`*:: +*`rsa.misc.cn_inpermpckts`*:: + -- type: keyword -- -*`rsa.misc.p_result1`*:: +*`rsa.misc.cn_invalid`*:: + -- type: keyword -- -*`rsa.misc.password_chg`*:: +*`rsa.misc.cn_ip_proto_ver`*:: + -- type: keyword -- -*`rsa.misc.password_expire`*:: +*`rsa.misc.cn_ipv4_ident`*:: + -- type: keyword -- -*`rsa.misc.permgranted`*:: +*`rsa.misc.cn_l_switch`*:: + -- type: keyword -- -*`rsa.misc.permwanted`*:: +*`rsa.misc.cn_log_did`*:: + -- type: keyword -- -*`rsa.misc.pgid`*:: +*`rsa.misc.cn_log_rid`*:: + -- type: keyword -- -*`rsa.misc.policyUUID`*:: +*`rsa.misc.cn_max_ttl`*:: + -- type: keyword -- -*`rsa.misc.prog_asp_num`*:: +*`rsa.misc.cn_maxpcktlen`*:: + -- type: keyword -- -*`rsa.misc.program`*:: +*`rsa.misc.cn_min_ttl`*:: + -- type: keyword -- -*`rsa.misc.real_data`*:: +*`rsa.misc.cn_minpcktlen`*:: + -- type: keyword -- -*`rsa.misc.rec_asp_device`*:: +*`rsa.misc.cn_mpls_lbl_1`*:: + -- type: keyword -- -*`rsa.misc.rec_asp_num`*:: +*`rsa.misc.cn_mpls_lbl_10`*:: + -- type: keyword -- -*`rsa.misc.rec_library`*:: +*`rsa.misc.cn_mpls_lbl_2`*:: + -- type: keyword -- -*`rsa.misc.recordnum`*:: +*`rsa.misc.cn_mpls_lbl_3`*:: + -- type: keyword -- -*`rsa.misc.ruid`*:: +*`rsa.misc.cn_mpls_lbl_4`*:: + -- type: keyword -- -*`rsa.misc.sburb`*:: +*`rsa.misc.cn_mpls_lbl_5`*:: + -- type: keyword -- -*`rsa.misc.sdomain_fld`*:: +*`rsa.misc.cn_mpls_lbl_6`*:: + -- type: keyword -- -*`rsa.misc.sec`*:: +*`rsa.misc.cn_mpls_lbl_7`*:: + -- type: keyword -- -*`rsa.misc.sensorname`*:: +*`rsa.misc.cn_mpls_lbl_8`*:: + -- type: keyword -- -*`rsa.misc.seqnum`*:: +*`rsa.misc.cn_mpls_lbl_9`*:: + -- type: keyword -- -*`rsa.misc.session`*:: +*`rsa.misc.cn_mplstoplabel`*:: + -- type: keyword -- -*`rsa.misc.sessiontype`*:: +*`rsa.misc.cn_mplstoplabip`*:: + -- type: keyword -- -*`rsa.misc.sigUUID`*:: +*`rsa.misc.cn_mul_dst_byt`*:: + -- type: keyword -- -*`rsa.misc.spi`*:: +*`rsa.misc.cn_mul_dst_pks`*:: + -- type: keyword -- -*`rsa.misc.srcburb`*:: +*`rsa.misc.cn_muligmptype`*:: + -- type: keyword -- -*`rsa.misc.srcdom`*:: +*`rsa.misc.cn_sampalgo`*:: + -- type: keyword -- -*`rsa.misc.srcservice`*:: +*`rsa.misc.cn_sampint`*:: + -- type: keyword -- -*`rsa.misc.state`*:: +*`rsa.misc.cn_seqctr`*:: + -- type: keyword -- -*`rsa.misc.status1`*:: +*`rsa.misc.cn_spackets`*:: + -- type: keyword -- -*`rsa.misc.svcno`*:: +*`rsa.misc.cn_src_tos`*:: + -- type: keyword -- -*`rsa.misc.system`*:: +*`rsa.misc.cn_src_vlan`*:: + -- type: keyword -- -*`rsa.misc.tbdstr1`*:: +*`rsa.misc.cn_sysuptime`*:: + -- type: keyword -- -*`rsa.misc.tgtdom`*:: +*`rsa.misc.cn_template_id`*:: + -- type: keyword -- -*`rsa.misc.tgtdomain`*:: +*`rsa.misc.cn_totbytsexp`*:: + -- type: keyword -- -*`rsa.misc.threshold`*:: +*`rsa.misc.cn_totflowexp`*:: + -- type: keyword -- -*`rsa.misc.type1`*:: +*`rsa.misc.cn_totpcktsexp`*:: + -- type: keyword -- -*`rsa.misc.udb_class`*:: +*`rsa.misc.cn_unixnanosecs`*:: + -- type: keyword -- -*`rsa.misc.url_fld`*:: +*`rsa.misc.cn_v6flowlabel`*:: + -- type: keyword -- -*`rsa.misc.user_div`*:: +*`rsa.misc.cn_v6optheaders`*:: + -- type: keyword -- -*`rsa.misc.userid`*:: +*`rsa.misc.comp_class`*:: + -- type: keyword -- -*`rsa.misc.username_fld`*:: +*`rsa.misc.comp_name`*:: + -- type: keyword -- -*`rsa.misc.utcstamp`*:: +*`rsa.misc.comp_rbytes`*:: + -- type: keyword -- -*`rsa.misc.v_instafname`*:: +*`rsa.misc.comp_sbytes`*:: + -- type: keyword -- -*`rsa.misc.virt_data`*:: +*`rsa.misc.cpu_data`*:: + -- type: keyword -- -*`rsa.misc.vpnid`*:: +*`rsa.misc.criticality`*:: + -- type: keyword -- -*`rsa.misc.autorun_type`*:: +*`rsa.misc.cs_agency_dst`*:: + -- -This is used to capture Auto Run type - type: keyword -- -*`rsa.misc.cc_number`*:: +*`rsa.misc.cs_analyzedby`*:: + -- -Valid Credit Card Numbers only - -type: long +type: keyword -- -*`rsa.misc.content`*:: +*`rsa.misc.cs_av_other`*:: + -- -This key captures the content type from protocol headers - type: keyword -- -*`rsa.misc.ein_number`*:: +*`rsa.misc.cs_av_primary`*:: + -- -Employee Identification Numbers only - -type: long +type: keyword -- -*`rsa.misc.found`*:: +*`rsa.misc.cs_av_secondary`*:: + -- -This is used to capture the results of regex match - type: keyword -- -*`rsa.misc.language`*:: +*`rsa.misc.cs_bgpv6nxthop`*:: + -- -This is used to capture list of languages the client support and what it prefers - type: keyword -- -*`rsa.misc.lifetime`*:: +*`rsa.misc.cs_bit9status`*:: + -- -This key is used to capture the session lifetime in seconds. - -type: long +type: keyword -- -*`rsa.misc.link`*:: +*`rsa.misc.cs_context`*:: + -- -This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.misc.match`*:: +*`rsa.misc.cs_control`*:: + -- -This key is for regex match name from search.ini - type: keyword -- -*`rsa.misc.param_dst`*:: +*`rsa.misc.cs_data`*:: + -- -This key captures the command line/launch argument of the target process or file - type: keyword -- -*`rsa.misc.param_src`*:: +*`rsa.misc.cs_datecret`*:: + -- -This key captures source parameter - type: keyword -- -*`rsa.misc.search_text`*:: +*`rsa.misc.cs_dst_tld`*:: + -- -This key captures the Search Text used - type: keyword -- -*`rsa.misc.sig_name`*:: +*`rsa.misc.cs_eth_dst_ven`*:: + -- -This key is used to capture the Signature Name only. - type: keyword -- -*`rsa.misc.snmp_value`*:: +*`rsa.misc.cs_eth_src_ven`*:: + -- -SNMP set request value - type: keyword -- -*`rsa.misc.streams`*:: +*`rsa.misc.cs_event_uuid`*:: + -- -This key captures number of streams in session - -type: long +type: keyword -- - -*`rsa.db.index`*:: +*`rsa.misc.cs_filetype`*:: + -- -This key captures IndexID of the index. - type: keyword -- -*`rsa.db.instance`*:: +*`rsa.misc.cs_fld`*:: + -- -This key is used to capture the database server instance name - type: keyword -- -*`rsa.db.database`*:: +*`rsa.misc.cs_if_desc`*:: + -- -This key is used to capture the name of a database or an instance as seen in a session - type: keyword -- -*`rsa.db.transact_id`*:: +*`rsa.misc.cs_if_name`*:: + -- -This key captures the SQL transantion ID of the current session - type: keyword -- -*`rsa.db.permissions`*:: +*`rsa.misc.cs_ip_next_hop`*:: + -- -This key captures permission or privilege level assigned to a resource. - type: keyword -- -*`rsa.db.table_name`*:: +*`rsa.misc.cs_ipv4dstpre`*:: + -- -This key is used to capture the table name - type: keyword -- -*`rsa.db.db_id`*:: +*`rsa.misc.cs_ipv4srcpre`*:: + -- -This key is used to capture the unique identifier for a database - type: keyword -- -*`rsa.db.db_pid`*:: +*`rsa.misc.cs_lifetime`*:: + -- -This key captures the process id of a connection with database server - -type: long +type: keyword -- -*`rsa.db.lread`*:: +*`rsa.misc.cs_log_medium`*:: + -- -This key is used for the number of logical reads - -type: long +type: keyword -- -*`rsa.db.lwrite`*:: +*`rsa.misc.cs_loginname`*:: + -- -This key is used for the number of logical writes - -type: long +type: keyword -- -*`rsa.db.pread`*:: +*`rsa.misc.cs_modulescore`*:: + -- -This key is used for the number of physical writes - -type: long +type: keyword -- - -*`rsa.network.alias_host`*:: +*`rsa.misc.cs_modulesign`*:: + -- -This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - type: keyword -- -*`rsa.network.domain`*:: +*`rsa.misc.cs_opswatresult`*:: + -- type: keyword -- -*`rsa.network.host_dst`*:: +*`rsa.misc.cs_payload`*:: + -- -This key should only be used when it’s a Destination Hostname - type: keyword -- -*`rsa.network.network_service`*:: +*`rsa.misc.cs_registrant`*:: + -- -This is used to capture layer 7 protocols/service names - type: keyword -- -*`rsa.network.interface`*:: +*`rsa.misc.cs_registrar`*:: + -- -This key should be used when the source or destination context of an interface is not clear - type: keyword -- -*`rsa.network.network_port`*:: +*`rsa.misc.cs_represult`*:: + -- -Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) - -type: long +type: keyword -- -*`rsa.network.eth_host`*:: +*`rsa.misc.cs_rpayload`*:: + -- -Deprecated, use alias.mac - type: keyword -- -*`rsa.network.sinterface`*:: +*`rsa.misc.cs_sampler_name`*:: + -- -This key should only be used when it’s a Source Interface - type: keyword -- -*`rsa.network.dinterface`*:: +*`rsa.misc.cs_sourcemodule`*:: + -- -This key should only be used when it’s a Destination Interface - type: keyword -- -*`rsa.network.vlan`*:: +*`rsa.misc.cs_streams`*:: + -- -This key should only be used to capture the ID of the Virtual LAN - -type: long +type: keyword -- -*`rsa.network.zone_src`*:: +*`rsa.misc.cs_targetmodule`*:: + -- -This key should only be used when it’s a Source Zone. - type: keyword -- -*`rsa.network.zone`*:: +*`rsa.misc.cs_v6nxthop`*:: + -- -This key should be used when the source or destination context of a Zone is not clear - type: keyword -- -*`rsa.network.zone_dst`*:: +*`rsa.misc.cs_whois_server`*:: + -- -This key should only be used when it’s a Destination Zone. - type: keyword -- -*`rsa.network.gateway`*:: +*`rsa.misc.cs_yararesult`*:: + -- -This key is used to capture the IP Address of the gateway - type: keyword -- -*`rsa.network.icmp_type`*:: +*`rsa.misc.description`*:: + -- -This key is used to capture the ICMP type only - -type: long +type: keyword -- -*`rsa.network.mask`*:: +*`rsa.misc.devvendor`*:: + -- -This key is used to capture the device network IPmask. - type: keyword -- -*`rsa.network.icmp_code`*:: +*`rsa.misc.distance`*:: + -- -This key is used to capture the ICMP code only - -type: long +type: keyword -- -*`rsa.network.protocol_detail`*:: +*`rsa.misc.dstburb`*:: + -- -This key should be used to capture additional protocol information - type: keyword -- -*`rsa.network.dmask`*:: +*`rsa.misc.edomain`*:: + -- -This key is used for Destionation Device network mask - type: keyword -- -*`rsa.network.port`*:: +*`rsa.misc.edomaub`*:: + -- -This key should only be used to capture a Network Port when the directionality is not clear - -type: long +type: keyword -- -*`rsa.network.smask`*:: +*`rsa.misc.euid`*:: + -- -This key is used for capturing source Network Mask - type: keyword -- -*`rsa.network.netname`*:: +*`rsa.misc.facility`*:: + -- -This key is used to capture the network name associated with an IP range. This is configured by the end user. - type: keyword -- -*`rsa.network.paddr`*:: +*`rsa.misc.finterface`*:: + -- -Deprecated - -type: ip +type: keyword -- -*`rsa.network.faddr`*:: +*`rsa.misc.flags`*:: + -- type: keyword -- -*`rsa.network.lhost`*:: +*`rsa.misc.gaddr`*:: + -- type: keyword -- -*`rsa.network.origin`*:: +*`rsa.misc.id3`*:: + -- type: keyword -- -*`rsa.network.remote_domain_id`*:: +*`rsa.misc.im_buddyname`*:: + -- type: keyword -- -*`rsa.network.addr`*:: +*`rsa.misc.im_croomid`*:: + -- type: keyword -- -*`rsa.network.dns_a_record`*:: +*`rsa.misc.im_croomtype`*:: + -- type: keyword -- -*`rsa.network.dns_ptr_record`*:: +*`rsa.misc.im_members`*:: + -- type: keyword -- -*`rsa.network.fhost`*:: +*`rsa.misc.im_username`*:: + -- type: keyword -- -*`rsa.network.fport`*:: +*`rsa.misc.ipkt`*:: + -- type: keyword -- -*`rsa.network.laddr`*:: +*`rsa.misc.ipscat`*:: + -- type: keyword -- -*`rsa.network.linterface`*:: +*`rsa.misc.ipspri`*:: + -- type: keyword -- -*`rsa.network.phost`*:: +*`rsa.misc.latitude`*:: + -- type: keyword -- -*`rsa.network.ad_computer_dst`*:: +*`rsa.misc.linenum`*:: + -- -Deprecated, use host.dst - type: keyword -- -*`rsa.network.eth_type`*:: +*`rsa.misc.list_name`*:: + -- -This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - -type: long +type: keyword -- -*`rsa.network.ip_proto`*:: +*`rsa.misc.load_data`*:: + -- -This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - -type: long +type: keyword -- -*`rsa.network.dns_cname_record`*:: +*`rsa.misc.location_floor`*:: + -- type: keyword -- -*`rsa.network.dns_id`*:: +*`rsa.misc.location_mark`*:: + -- type: keyword -- -*`rsa.network.dns_opcode`*:: +*`rsa.misc.log_id`*:: + -- type: keyword -- -*`rsa.network.dns_resp`*:: +*`rsa.misc.log_type`*:: + -- type: keyword -- -*`rsa.network.dns_type`*:: +*`rsa.misc.logid`*:: + -- type: keyword -- -*`rsa.network.domain1`*:: +*`rsa.misc.logip`*:: + -- type: keyword -- -*`rsa.network.host_type`*:: +*`rsa.misc.logname`*:: + -- type: keyword -- -*`rsa.network.packet_length`*:: +*`rsa.misc.longitude`*:: + -- type: keyword -- -*`rsa.network.host_orig`*:: +*`rsa.misc.lport`*:: + -- -This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - type: keyword -- -*`rsa.network.rpayload`*:: +*`rsa.misc.mbug_data`*:: + -- -This key is used to capture the total number of payload bytes seen in the retransmitted packets. - type: keyword -- -*`rsa.network.vlan_name`*:: +*`rsa.misc.misc_name`*:: + -- -This key should only be used to capture the name of the Virtual LAN - type: keyword -- - -*`rsa.investigations.ec_activity`*:: +*`rsa.misc.msg_type`*:: + -- -This key captures the particular event activity(Ex:Logoff) - type: keyword -- -*`rsa.investigations.ec_theme`*:: +*`rsa.misc.msgid`*:: + -- -This key captures the Theme of a particular Event(Ex:Authentication) - type: keyword -- -*`rsa.investigations.ec_subject`*:: +*`rsa.misc.netsessid`*:: + -- -This key captures the Subject of a particular Event(Ex:User) - type: keyword -- -*`rsa.investigations.ec_outcome`*:: +*`rsa.misc.num`*:: + -- -This key captures the outcome of a particular Event(Ex:Success) - type: keyword -- -*`rsa.investigations.event_cat`*:: +*`rsa.misc.number1`*:: + -- -This key captures the Event category number - -type: long +type: keyword -- -*`rsa.investigations.event_cat_name`*:: +*`rsa.misc.number2`*:: + -- -This key captures the event category name corresponding to the event cat code - type: keyword -- -*`rsa.investigations.event_vcat`*:: +*`rsa.misc.nwwn`*:: + -- -This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - type: keyword -- -*`rsa.investigations.analysis_file`*:: +*`rsa.misc.object`*:: + -- -This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - type: keyword -- -*`rsa.investigations.analysis_service`*:: +*`rsa.misc.operation`*:: + -- -This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - type: keyword -- -*`rsa.investigations.analysis_session`*:: +*`rsa.misc.opkt`*:: + -- -This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - type: keyword -- -*`rsa.investigations.boc`*:: +*`rsa.misc.orig_from`*:: + -- -This is used to capture behaviour of compromise - type: keyword -- -*`rsa.investigations.eoc`*:: +*`rsa.misc.owner_id`*:: + -- -This is used to capture Enablers of Compromise - type: keyword -- -*`rsa.investigations.inv_category`*:: +*`rsa.misc.p_action`*:: + -- -This used to capture investigation category - type: keyword -- -*`rsa.investigations.inv_context`*:: +*`rsa.misc.p_filter`*:: + -- -This used to capture investigation context - type: keyword -- -*`rsa.investigations.ioc`*:: +*`rsa.misc.p_group_object`*:: + -- -This is key capture indicator of compromise - type: keyword -- - -*`rsa.counters.dclass_c1`*:: +*`rsa.misc.p_id`*:: + -- -This is a generic counter key that should be used with the label dclass.c1.str only - -type: long +type: keyword -- -*`rsa.counters.dclass_c2`*:: +*`rsa.misc.p_msgid1`*:: + -- -This is a generic counter key that should be used with the label dclass.c2.str only - -type: long +type: keyword -- -*`rsa.counters.event_counter`*:: +*`rsa.misc.p_msgid2`*:: + -- -This is used to capture the number of times an event repeated - -type: long +type: keyword -- -*`rsa.counters.dclass_r1`*:: +*`rsa.misc.p_result1`*:: + -- -This is a generic ratio key that should be used with the label dclass.r1.str only - type: keyword -- -*`rsa.counters.dclass_c3`*:: +*`rsa.misc.password_chg`*:: + -- -This is a generic counter key that should be used with the label dclass.c3.str only - -type: long +type: keyword -- -*`rsa.counters.dclass_c1_str`*:: +*`rsa.misc.password_expire`*:: + -- -This is a generic counter string key that should be used with the label dclass.c1 only - type: keyword -- -*`rsa.counters.dclass_c2_str`*:: +*`rsa.misc.permgranted`*:: + -- -This is a generic counter string key that should be used with the label dclass.c2 only - type: keyword -- -*`rsa.counters.dclass_r1_str`*:: +*`rsa.misc.permwanted`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r1 only - type: keyword -- -*`rsa.counters.dclass_r2`*:: +*`rsa.misc.pgid`*:: + -- -This is a generic ratio key that should be used with the label dclass.r2.str only - type: keyword -- -*`rsa.counters.dclass_c3_str`*:: +*`rsa.misc.policyUUID`*:: + -- -This is a generic counter string key that should be used with the label dclass.c3 only - type: keyword -- -*`rsa.counters.dclass_r3`*:: +*`rsa.misc.prog_asp_num`*:: + -- -This is a generic ratio key that should be used with the label dclass.r3.str only - type: keyword -- -*`rsa.counters.dclass_r2_str`*:: +*`rsa.misc.program`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r2 only - type: keyword -- -*`rsa.counters.dclass_r3_str`*:: +*`rsa.misc.real_data`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r3 only - type: keyword -- - -*`rsa.identity.auth_method`*:: +*`rsa.misc.rec_asp_device`*:: + -- -This key is used to capture authentication methods used only - type: keyword -- -*`rsa.identity.user_role`*:: +*`rsa.misc.rec_asp_num`*:: + -- -This key is used to capture the Role of a user only - type: keyword -- -*`rsa.identity.dn`*:: +*`rsa.misc.rec_library`*:: + -- -X.500 (LDAP) Distinguished Name - type: keyword -- -*`rsa.identity.logon_type`*:: +*`rsa.misc.recordnum`*:: + -- -This key is used to capture the type of logon method used. - type: keyword -- -*`rsa.identity.profile`*:: +*`rsa.misc.ruid`*:: + -- -This key is used to capture the user profile - type: keyword -- -*`rsa.identity.accesses`*:: +*`rsa.misc.sburb`*:: + -- -This key is used to capture actual privileges used in accessing an object - type: keyword -- -*`rsa.identity.realm`*:: +*`rsa.misc.sdomain_fld`*:: + -- -Radius realm or similar grouping of accounts - type: keyword -- -*`rsa.identity.user_sid_dst`*:: +*`rsa.misc.sec`*:: + -- -This key captures Destination User Session ID - type: keyword -- -*`rsa.identity.dn_src`*:: +*`rsa.misc.sensorname`*:: + -- -An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - type: keyword -- -*`rsa.identity.org`*:: +*`rsa.misc.seqnum`*:: + -- -This key captures the User organization - type: keyword -- -*`rsa.identity.dn_dst`*:: +*`rsa.misc.session`*:: + -- -An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - type: keyword -- -*`rsa.identity.firstname`*:: +*`rsa.misc.sessiontype`*:: + -- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - type: keyword -- -*`rsa.identity.lastname`*:: +*`rsa.misc.sigUUID`*:: + -- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - type: keyword -- -*`rsa.identity.user_dept`*:: +*`rsa.misc.spi`*:: + -- -User's Department Names only - type: keyword -- -*`rsa.identity.user_sid_src`*:: +*`rsa.misc.srcburb`*:: + -- -This key captures Source User Session ID - type: keyword -- -*`rsa.identity.federated_sp`*:: +*`rsa.misc.srcdom`*:: + -- -This key is the Federated Service Provider. This is the application requesting authentication. - type: keyword -- -*`rsa.identity.federated_idp`*:: +*`rsa.misc.srcservice`*:: + -- -This key is the federated Identity Provider. This is the server providing the authentication. - type: keyword -- -*`rsa.identity.logon_type_desc`*:: +*`rsa.misc.state`*:: + -- -This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - type: keyword -- -*`rsa.identity.middlename`*:: +*`rsa.misc.status1`*:: + -- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - type: keyword -- -*`rsa.identity.password`*:: +*`rsa.misc.svcno`*:: + -- -This key is for Passwords seen in any session, plain text or encrypted - type: keyword -- -*`rsa.identity.host_role`*:: +*`rsa.misc.system`*:: + -- -This key should only be used to capture the role of a Host Machine - type: keyword -- -*`rsa.identity.ldap`*:: +*`rsa.misc.tbdstr1`*:: + -- -This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context - type: keyword -- -*`rsa.identity.ldap_query`*:: +*`rsa.misc.tgtdom`*:: + -- -This key is the Search criteria from an LDAP search - type: keyword -- -*`rsa.identity.ldap_response`*:: +*`rsa.misc.tgtdomain`*:: + -- -This key is to capture Results from an LDAP search - type: keyword -- -*`rsa.identity.owner`*:: +*`rsa.misc.threshold`*:: + -- -This is used to capture username the process or service is running as, the author of the task - type: keyword -- -*`rsa.identity.service_account`*:: +*`rsa.misc.type1`*:: + -- -This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - type: keyword -- - -*`rsa.email.email_dst`*:: +*`rsa.misc.udb_class`*:: + -- -This key is used to capture the Destination email address only, when the destination context is not clear use email - type: keyword -- -*`rsa.email.email_src`*:: +*`rsa.misc.url_fld`*:: + -- -This key is used to capture the source email address only, when the source context is not clear use email - type: keyword -- -*`rsa.email.subject`*:: +*`rsa.misc.user_div`*:: + -- -This key is used to capture the subject string from an Email only. - type: keyword -- -*`rsa.email.email`*:: +*`rsa.misc.userid`*:: + -- -This key is used to capture a generic email address where the source or destination context is not clear - type: keyword -- -*`rsa.email.trans_from`*:: +*`rsa.misc.username_fld`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.email.trans_to`*:: +*`rsa.misc.utcstamp`*:: + -- -Deprecated key defined only in table map. - type: keyword -- - -*`rsa.file.privilege`*:: +*`rsa.misc.v_instafname`*:: + -- -Deprecated, use permissions - type: keyword -- -*`rsa.file.attachment`*:: +*`rsa.misc.virt_data`*:: + -- -This key captures the attachment file name - type: keyword -- -*`rsa.file.filesystem`*:: +*`rsa.misc.vpnid`*:: + -- type: keyword -- -*`rsa.file.binary`*:: +*`rsa.misc.autorun_type`*:: + -- -Deprecated key defined only in table map. +This is used to capture Auto Run type type: keyword -- -*`rsa.file.filename_dst`*:: +*`rsa.misc.cc_number`*:: + -- -This is used to capture name of the file targeted by the action +Valid Credit Card Numbers only -type: keyword +type: long -- -*`rsa.file.filename_src`*:: +*`rsa.misc.content`*:: + -- -This is used to capture name of the parent filename, the file which performed the action +This key captures the content type from protocol headers type: keyword -- -*`rsa.file.filename_tmp`*:: +*`rsa.misc.ein_number`*:: + -- -type: keyword +Employee Identification Numbers only + +type: long -- -*`rsa.file.directory_dst`*:: +*`rsa.misc.found`*:: + -- -This key is used to capture the directory of the target process or file +This is used to capture the results of regex match type: keyword -- -*`rsa.file.directory_src`*:: +*`rsa.misc.language`*:: + -- -This key is used to capture the directory of the source process or file +This is used to capture list of languages the client support and what it prefers type: keyword -- -*`rsa.file.file_entropy`*:: +*`rsa.misc.lifetime`*:: + -- -This is used to capture entropy vale of a file +This key is used to capture the session lifetime in seconds. -type: double +type: long -- -*`rsa.file.file_vendor`*:: +*`rsa.misc.link`*:: + -- -This is used to capture Company name of file located in version_info +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.file.task_name`*:: +*`rsa.misc.match`*:: + -- -This is used to capture name of the task +This key is for regex match name from search.ini type: keyword -- - -*`rsa.web.fqdn`*:: +*`rsa.misc.param_dst`*:: + -- -Fully Qualified Domain Names +This key captures the command line/launch argument of the target process or file type: keyword -- -*`rsa.web.web_cookie`*:: +*`rsa.misc.param_src`*:: + -- -This key is used to capture the Web cookies specifically. +This key captures source parameter type: keyword -- -*`rsa.web.alias_host`*:: +*`rsa.misc.search_text`*:: + -- +This key captures the Search Text used + type: keyword -- -*`rsa.web.reputation_num`*:: +*`rsa.misc.sig_name`*:: + -- -Reputation Number of an entity. Typically used for Web Domains +This key is used to capture the Signature Name only. -type: double +type: keyword -- -*`rsa.web.web_ref_domain`*:: +*`rsa.misc.snmp_value`*:: + -- -Web referer's domain +SNMP set request value type: keyword -- -*`rsa.web.web_ref_query`*:: +*`rsa.misc.streams`*:: + -- -This key captures Web referer's query portion of the URL +This key captures number of streams in session -type: keyword +type: long -- -*`rsa.web.remote_domain`*:: + +*`rsa.db.index`*:: + -- +This key captures IndexID of the index. + type: keyword -- -*`rsa.web.web_ref_page`*:: +*`rsa.db.instance`*:: + -- -This key captures Web referer's page information +This key is used to capture the database server instance name type: keyword -- -*`rsa.web.web_ref_root`*:: +*`rsa.db.database`*:: + -- -Web referer's root URL path +This key is used to capture the name of a database or an instance as seen in a session type: keyword -- -*`rsa.web.cn_asn_dst`*:: +*`rsa.db.transact_id`*:: + -- +This key captures the SQL transantion ID of the current session + type: keyword -- -*`rsa.web.cn_rpackets`*:: +*`rsa.db.permissions`*:: + -- +This key captures permission or privilege level assigned to a resource. + type: keyword -- -*`rsa.web.urlpage`*:: +*`rsa.db.table_name`*:: + -- +This key is used to capture the table name + type: keyword -- -*`rsa.web.urlroot`*:: +*`rsa.db.db_id`*:: + -- +This key is used to capture the unique identifier for a database + type: keyword -- -*`rsa.web.p_url`*:: +*`rsa.db.db_pid`*:: + -- -type: keyword +This key captures the process id of a connection with database server + +type: long -- -*`rsa.web.p_user_agent`*:: +*`rsa.db.lread`*:: + -- -type: keyword +This key is used for the number of logical reads + +type: long -- -*`rsa.web.p_web_cookie`*:: +*`rsa.db.lwrite`*:: + -- -type: keyword +This key is used for the number of logical writes + +type: long -- -*`rsa.web.p_web_method`*:: +*`rsa.db.pread`*:: + -- -type: keyword +This key is used for the number of physical writes --- +type: long -*`rsa.web.p_web_referer`*:: -+ -- -type: keyword --- -*`rsa.web.web_extension_tmp`*:: +*`rsa.network.alias_host`*:: + -- +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + type: keyword -- -*`rsa.web.web_page`*:: +*`rsa.network.domain`*:: + -- type: keyword -- - -*`rsa.threat.threat_category`*:: +*`rsa.network.host_dst`*:: + -- -This key captures Threat Name/Threat Category/Categorization of alert +This key should only be used when it’s a Destination Hostname type: keyword -- -*`rsa.threat.threat_desc`*:: +*`rsa.network.network_service`*:: + -- -This key is used to capture the threat description from the session directly or inferred +This is used to capture layer 7 protocols/service names type: keyword -- -*`rsa.threat.alert`*:: +*`rsa.network.interface`*:: + -- -This key is used to capture name of the alert +This key should be used when the source or destination context of an interface is not clear type: keyword -- -*`rsa.threat.threat_source`*:: +*`rsa.network.network_port`*:: + -- -This key is used to capture source of the threat +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) -type: keyword +type: long -- - -*`rsa.crypto.crypto`*:: +*`rsa.network.eth_host`*:: + -- -This key is used to capture the Encryption Type or Encryption Key only +Deprecated, use alias.mac type: keyword -- -*`rsa.crypto.cipher_src`*:: +*`rsa.network.sinterface`*:: + -- -This key is for Source (Client) Cipher +This key should only be used when it’s a Source Interface type: keyword -- -*`rsa.crypto.cert_subject`*:: +*`rsa.network.dinterface`*:: + -- -This key is used to capture the Certificate organization only +This key should only be used when it’s a Destination Interface type: keyword -- -*`rsa.crypto.peer`*:: +*`rsa.network.vlan`*:: + -- -This key is for Encryption peer's IP Address +This key should only be used to capture the ID of the Virtual LAN -type: keyword +type: long -- -*`rsa.crypto.cipher_size_src`*:: +*`rsa.network.zone_src`*:: + -- -This key captures Source (Client) Cipher Size +This key should only be used when it’s a Source Zone. -type: long +type: keyword -- -*`rsa.crypto.ike`*:: +*`rsa.network.zone`*:: + -- -IKE negotiation phase. +This key should be used when the source or destination context of a Zone is not clear type: keyword -- -*`rsa.crypto.scheme`*:: +*`rsa.network.zone_dst`*:: + -- -This key captures the Encryption scheme used +This key should only be used when it’s a Destination Zone. type: keyword -- -*`rsa.crypto.peer_id`*:: +*`rsa.network.gateway`*:: + -- -This key is for Encryption peer’s identity +This key is used to capture the IP Address of the gateway type: keyword -- -*`rsa.crypto.sig_type`*:: +*`rsa.network.icmp_type`*:: + -- -This key captures the Signature Type +This key is used to capture the ICMP type only -type: keyword +type: long -- -*`rsa.crypto.cert_issuer`*:: +*`rsa.network.mask`*:: + -- +This key is used to capture the device network IPmask. + type: keyword -- -*`rsa.crypto.cert_host_name`*:: +*`rsa.network.icmp_code`*:: + -- -Deprecated key defined only in table map. +This key is used to capture the ICMP code only -type: keyword +type: long -- -*`rsa.crypto.cert_error`*:: +*`rsa.network.protocol_detail`*:: + -- -This key captures the Certificate Error String +This key should be used to capture additional protocol information type: keyword -- -*`rsa.crypto.cipher_dst`*:: +*`rsa.network.dmask`*:: + -- -This key is for Destination (Server) Cipher +This key is used for Destionation Device network mask type: keyword -- -*`rsa.crypto.cipher_size_dst`*:: +*`rsa.network.port`*:: + -- -This key captures Destination (Server) Cipher Size +This key should only be used to capture a Network Port when the directionality is not clear type: long -- -*`rsa.crypto.ssl_ver_src`*:: +*`rsa.network.smask`*:: + -- -Deprecated, use version +This key is used for capturing source Network Mask type: keyword -- -*`rsa.crypto.d_certauth`*:: +*`rsa.network.netname`*:: + -- +This key is used to capture the network name associated with an IP range. This is configured by the end user. + type: keyword -- -*`rsa.crypto.s_certauth`*:: +*`rsa.network.paddr`*:: + -- -type: keyword +Deprecated + +type: ip -- -*`rsa.crypto.ike_cookie1`*:: +*`rsa.network.faddr`*:: + -- -ID of the negotiation — sent for ISAKMP Phase One - type: keyword -- -*`rsa.crypto.ike_cookie2`*:: +*`rsa.network.lhost`*:: + -- -ID of the negotiation — sent for ISAKMP Phase Two - type: keyword -- -*`rsa.crypto.cert_checksum`*:: +*`rsa.network.origin`*:: + -- type: keyword -- -*`rsa.crypto.cert_host_cat`*:: +*`rsa.network.remote_domain_id`*:: + -- -This key is used for the hostname category value of a certificate - type: keyword -- -*`rsa.crypto.cert_serial`*:: +*`rsa.network.addr`*:: + -- -This key is used to capture the Certificate serial number only - type: keyword -- -*`rsa.crypto.cert_status`*:: +*`rsa.network.dns_a_record`*:: + -- -This key captures Certificate validation status - type: keyword -- -*`rsa.crypto.ssl_ver_dst`*:: +*`rsa.network.dns_ptr_record`*:: + -- -Deprecated, use version - type: keyword -- -*`rsa.crypto.cert_keysize`*:: +*`rsa.network.fhost`*:: + -- type: keyword -- -*`rsa.crypto.cert_username`*:: +*`rsa.network.fport`*:: + -- type: keyword -- -*`rsa.crypto.https_insact`*:: +*`rsa.network.laddr`*:: + -- type: keyword -- -*`rsa.crypto.https_valid`*:: +*`rsa.network.linterface`*:: + -- type: keyword -- -*`rsa.crypto.cert_ca`*:: +*`rsa.network.phost`*:: + -- -This key is used to capture the Certificate signing authority only - type: keyword -- -*`rsa.crypto.cert_common`*:: +*`rsa.network.ad_computer_dst`*:: + -- -This key is used to capture the Certificate common name only +Deprecated, use host.dst type: keyword -- - -*`rsa.wireless.wlan_ssid`*:: +*`rsa.network.eth_type`*:: + -- -This key is used to capture the ssid of a Wireless Session +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only -type: keyword +type: long -- -*`rsa.wireless.access_point`*:: +*`rsa.network.ip_proto`*:: + -- -This key is used to capture the access point name. +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI -type: keyword +type: long -- -*`rsa.wireless.wlan_channel`*:: +*`rsa.network.dns_cname_record`*:: + -- -This is used to capture the channel names - -type: long +type: keyword -- -*`rsa.wireless.wlan_name`*:: +*`rsa.network.dns_id`*:: + -- -This key captures either WLAN number/name - type: keyword -- - -*`rsa.storage.disk_volume`*:: +*`rsa.network.dns_opcode`*:: + -- -A unique name assigned to logical units (volumes) within a physical disk - type: keyword -- -*`rsa.storage.lun`*:: +*`rsa.network.dns_resp`*:: + -- -Logical Unit Number.This key is a very useful concept in Storage. - type: keyword -- -*`rsa.storage.pwwn`*:: +*`rsa.network.dns_type`*:: + -- -This uniquely identifies a port on a HBA. - type: keyword -- - -*`rsa.physical.org_dst`*:: +*`rsa.network.domain1`*:: + -- -This is used to capture the destination organization based on the GEOPIP Maxmind database. - type: keyword -- -*`rsa.physical.org_src`*:: +*`rsa.network.host_type`*:: + -- -This is used to capture the source organization based on the GEOPIP Maxmind database. - type: keyword -- - -*`rsa.healthcare.patient_fname`*:: +*`rsa.network.packet_length`*:: + -- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - type: keyword -- -*`rsa.healthcare.patient_id`*:: +*`rsa.network.host_orig`*:: + -- -This key captures the unique ID for a patient +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. type: keyword -- -*`rsa.healthcare.patient_lname`*:: +*`rsa.network.rpayload`*:: + -- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information +This key is used to capture the total number of payload bytes seen in the retransmitted packets. type: keyword -- -*`rsa.healthcare.patient_mname`*:: +*`rsa.network.vlan_name`*:: + -- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information +This key should only be used to capture the name of the Virtual LAN type: keyword -- -*`rsa.endpoint.host_state`*:: +*`rsa.investigations.ec_activity`*:: + -- -This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on +This key captures the particular event activity(Ex:Logoff) type: keyword -- -*`rsa.endpoint.registry_key`*:: +*`rsa.investigations.ec_theme`*:: + -- -This key captures the path to the registry key +This key captures the Theme of a particular Event(Ex:Authentication) type: keyword -- -*`rsa.endpoint.registry_value`*:: +*`rsa.investigations.ec_subject`*:: + -- -This key captures values or decorators used within a registry entry +This key captures the Subject of a particular Event(Ex:User) type: keyword -- -[[exported-fields-fortinet]] -== Fortinet fields - -fortinet Module - - - -*`network.interface.name`*:: +*`rsa.investigations.ec_outcome`*:: + -- -Name of the network interface where the traffic has been observed. - +This key captures the outcome of a particular Event(Ex:Success) type: keyword -- - - -*`rsa.internal.msg`*:: +*`rsa.investigations.event_cat`*:: + -- -This key is used to capture the raw message that comes into the Log Decoder +This key captures the Event category number -type: keyword +type: long -- -*`rsa.internal.messageid`*:: +*`rsa.investigations.event_cat_name`*:: + -- +This key captures the event category name corresponding to the event cat code + type: keyword -- -*`rsa.internal.event_desc`*:: +*`rsa.investigations.event_vcat`*:: + -- +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + type: keyword -- -*`rsa.internal.message`*:: +*`rsa.investigations.analysis_file`*:: + -- -This key captures the contents of instant messages +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file type: keyword -- -*`rsa.internal.time`*:: +*`rsa.investigations.analysis_service`*:: + -- -This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service -type: date +type: keyword -- -*`rsa.internal.level`*:: +*`rsa.investigations.analysis_session`*:: + -- -Deprecated key defined only in table map. +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session -type: long +type: keyword -- -*`rsa.internal.msg_id`*:: +*`rsa.investigations.boc`*:: + -- -This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This is used to capture behaviour of compromise type: keyword -- -*`rsa.internal.msg_vid`*:: +*`rsa.investigations.eoc`*:: + -- -This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This is used to capture Enablers of Compromise type: keyword -- -*`rsa.internal.data`*:: +*`rsa.investigations.inv_category`*:: + -- -Deprecated key defined only in table map. +This used to capture investigation category type: keyword -- -*`rsa.internal.obj_server`*:: +*`rsa.investigations.inv_context`*:: + -- -Deprecated key defined only in table map. +This used to capture investigation context type: keyword -- -*`rsa.internal.obj_val`*:: +*`rsa.investigations.ioc`*:: + -- -Deprecated key defined only in table map. +This is key capture indicator of compromise type: keyword -- -*`rsa.internal.resource`*:: + +*`rsa.counters.dclass_c1`*:: + -- -Deprecated key defined only in table map. +This is a generic counter key that should be used with the label dclass.c1.str only -type: keyword +type: long -- -*`rsa.internal.obj_id`*:: +*`rsa.counters.dclass_c2`*:: + -- -Deprecated key defined only in table map. +This is a generic counter key that should be used with the label dclass.c2.str only -type: keyword +type: long -- -*`rsa.internal.statement`*:: +*`rsa.counters.event_counter`*:: + -- -Deprecated key defined only in table map. +This is used to capture the number of times an event repeated -type: keyword +type: long -- -*`rsa.internal.audit_class`*:: +*`rsa.counters.dclass_r1`*:: + -- -Deprecated key defined only in table map. +This is a generic ratio key that should be used with the label dclass.r1.str only type: keyword -- -*`rsa.internal.entry`*:: +*`rsa.counters.dclass_c3`*:: + -- -Deprecated key defined only in table map. +This is a generic counter key that should be used with the label dclass.c3.str only -type: keyword +type: long -- -*`rsa.internal.hcode`*:: +*`rsa.counters.dclass_c1_str`*:: + -- -Deprecated key defined only in table map. +This is a generic counter string key that should be used with the label dclass.c1 only type: keyword -- -*`rsa.internal.inode`*:: +*`rsa.counters.dclass_c2_str`*:: + -- -Deprecated key defined only in table map. +This is a generic counter string key that should be used with the label dclass.c2 only -type: long +type: keyword -- -*`rsa.internal.resource_class`*:: +*`rsa.counters.dclass_r1_str`*:: + -- -Deprecated key defined only in table map. +This is a generic ratio string key that should be used with the label dclass.r1 only type: keyword -- -*`rsa.internal.dead`*:: +*`rsa.counters.dclass_r2`*:: + -- -Deprecated key defined only in table map. +This is a generic ratio key that should be used with the label dclass.r2.str only -type: long +type: keyword -- -*`rsa.internal.feed_desc`*:: +*`rsa.counters.dclass_c3_str`*:: + -- -This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This is a generic counter string key that should be used with the label dclass.c3 only type: keyword -- -*`rsa.internal.feed_name`*:: +*`rsa.counters.dclass_r3`*:: + -- -This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This is a generic ratio key that should be used with the label dclass.r3.str only type: keyword -- -*`rsa.internal.cid`*:: +*`rsa.counters.dclass_r2_str`*:: + -- -This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This is a generic ratio string key that should be used with the label dclass.r2 only type: keyword -- -*`rsa.internal.device_class`*:: +*`rsa.counters.dclass_r3_str`*:: + -- -This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This is a generic ratio string key that should be used with the label dclass.r3 only type: keyword -- -*`rsa.internal.device_group`*:: + +*`rsa.identity.auth_method`*:: + -- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key is used to capture authentication methods used only type: keyword -- -*`rsa.internal.device_host`*:: +*`rsa.identity.user_role`*:: + -- -This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key is used to capture the Role of a user only type: keyword -- -*`rsa.internal.device_ip`*:: +*`rsa.identity.dn`*:: + -- -This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +X.500 (LDAP) Distinguished Name -type: ip +type: keyword -- -*`rsa.internal.device_ipv6`*:: +*`rsa.identity.logon_type`*:: + -- -This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key is used to capture the type of logon method used. -type: ip +type: keyword -- -*`rsa.internal.device_type`*:: +*`rsa.identity.profile`*:: + -- -This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key is used to capture the user profile type: keyword -- -*`rsa.internal.device_type_id`*:: +*`rsa.identity.accesses`*:: + -- -Deprecated key defined only in table map. +This key is used to capture actual privileges used in accessing an object -type: long +type: keyword -- -*`rsa.internal.did`*:: +*`rsa.identity.realm`*:: + -- -This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Radius realm or similar grouping of accounts type: keyword -- -*`rsa.internal.entropy_req`*:: +*`rsa.identity.user_sid_dst`*:: + -- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration +This key captures Destination User Session ID -type: long +type: keyword -- -*`rsa.internal.entropy_res`*:: +*`rsa.identity.dn_src`*:: + -- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn -type: long +type: keyword -- -*`rsa.internal.event_name`*:: +*`rsa.identity.org`*:: + -- -Deprecated key defined only in table map. +This key captures the User organization type: keyword -- -*`rsa.internal.feed_category`*:: +*`rsa.identity.dn_dst`*:: + -- -This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn type: keyword -- -*`rsa.internal.forward_ip`*:: +*`rsa.identity.firstname`*:: + -- -This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information -type: ip +type: keyword -- -*`rsa.internal.forward_ipv6`*:: +*`rsa.identity.lastname`*:: + -- -This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information -type: ip +type: keyword -- -*`rsa.internal.header_id`*:: +*`rsa.identity.user_dept`*:: + -- -This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +User's Department Names only type: keyword -- -*`rsa.internal.lc_cid`*:: +*`rsa.identity.user_sid_src`*:: + -- -This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key captures Source User Session ID type: keyword -- -*`rsa.internal.lc_ctime`*:: +*`rsa.identity.federated_sp`*:: + -- -This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key is the Federated Service Provider. This is the application requesting authentication. -type: date +type: keyword -- -*`rsa.internal.mcb_req`*:: +*`rsa.identity.federated_idp`*:: + -- -This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most +This key is the federated Identity Provider. This is the server providing the authentication. -type: long +type: keyword -- -*`rsa.internal.mcb_res`*:: +*`rsa.identity.logon_type_desc`*:: + -- -This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. -type: long +type: keyword -- -*`rsa.internal.mcbc_req`*:: +*`rsa.identity.middlename`*:: + -- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information -type: long +type: keyword -- -*`rsa.internal.mcbc_res`*:: +*`rsa.identity.password`*:: + -- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams +This key is for Passwords seen in any session, plain text or encrypted -type: long +type: keyword -- -*`rsa.internal.medium`*:: +*`rsa.identity.host_role`*:: + -- -This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session +This key should only be used to capture the role of a Host Machine -type: long +type: keyword -- -*`rsa.internal.node_name`*:: +*`rsa.identity.ldap`*:: + -- -Deprecated key defined only in table map. +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context type: keyword -- -*`rsa.internal.nwe_callback_id`*:: +*`rsa.identity.ldap_query`*:: + -- -This key denotes that event is endpoint related +This key is the Search criteria from an LDAP search type: keyword -- -*`rsa.internal.parse_error`*:: +*`rsa.identity.ldap_response`*:: + -- -This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key is to capture Results from an LDAP search type: keyword -- -*`rsa.internal.payload_req`*:: +*`rsa.identity.owner`*:: + -- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep +This is used to capture username the process or service is running as, the author of the task -type: long +type: keyword -- -*`rsa.internal.payload_res`*:: +*`rsa.identity.service_account`*:: + -- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage -type: long +type: keyword -- -*`rsa.internal.process_vid_dst`*:: + +*`rsa.email.email_dst`*:: + -- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. +This key is used to capture the Destination email address only, when the destination context is not clear use email type: keyword -- -*`rsa.internal.process_vid_src`*:: +*`rsa.email.email_src`*:: + -- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. +This key is used to capture the source email address only, when the source context is not clear use email type: keyword -- -*`rsa.internal.rid`*:: +*`rsa.email.subject`*:: + -- -This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key is used to capture the subject string from an Email only. -type: long +type: keyword -- -*`rsa.internal.session_split`*:: +*`rsa.email.email`*:: + -- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key is used to capture a generic email address where the source or destination context is not clear type: keyword -- -*`rsa.internal.site`*:: +*`rsa.email.trans_from`*:: + -- Deprecated key defined only in table map. @@ -60959,11137 +54303,11093 @@ type: keyword -- -*`rsa.internal.size`*:: +*`rsa.email.trans_to`*:: + -- -This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Deprecated key defined only in table map. -type: long +type: keyword -- -*`rsa.internal.sourcefile`*:: + +*`rsa.file.privilege`*:: + -- -This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Deprecated, use permissions type: keyword -- -*`rsa.internal.ubc_req`*:: +*`rsa.file.attachment`*:: + -- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once +This key captures the attachment file name -type: long +type: keyword -- -*`rsa.internal.ubc_res`*:: +*`rsa.file.filesystem`*:: + -- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: long +type: keyword -- -*`rsa.internal.word`*:: +*`rsa.file.binary`*:: + -- -This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log +Deprecated key defined only in table map. type: keyword -- - -*`rsa.time.event_time`*:: +*`rsa.file.filename_dst`*:: + -- -This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form +This is used to capture name of the file targeted by the action -type: date +type: keyword -- -*`rsa.time.duration_time`*:: +*`rsa.file.filename_src`*:: + -- -This key is used to capture the normalized duration/lifetime in seconds. +This is used to capture name of the parent filename, the file which performed the action -type: double +type: keyword -- -*`rsa.time.event_time_str`*:: +*`rsa.file.filename_tmp`*:: + -- -This key is used to capture the incomplete time mentioned in a session as a string - type: keyword -- -*`rsa.time.starttime`*:: +*`rsa.file.directory_dst`*:: + -- -This key is used to capture the Start time mentioned in a session in a standard form +This key is used to capture the directory of the target process or file -type: date +type: keyword -- -*`rsa.time.month`*:: +*`rsa.file.directory_src`*:: + -- +This key is used to capture the directory of the source process or file + type: keyword -- -*`rsa.time.day`*:: +*`rsa.file.file_entropy`*:: + -- -type: keyword +This is used to capture entropy vale of a file + +type: double -- -*`rsa.time.endtime`*:: +*`rsa.file.file_vendor`*:: + -- -This key is used to capture the End time mentioned in a session in a standard form +This is used to capture Company name of file located in version_info -type: date +type: keyword -- -*`rsa.time.timezone`*:: +*`rsa.file.task_name`*:: + -- -This key is used to capture the timezone of the Event Time +This is used to capture name of the task type: keyword -- -*`rsa.time.duration_str`*:: + +*`rsa.web.fqdn`*:: + -- -A text string version of the duration +Fully Qualified Domain Names type: keyword -- -*`rsa.time.date`*:: +*`rsa.web.web_cookie`*:: + -- +This key is used to capture the Web cookies specifically. + type: keyword -- -*`rsa.time.year`*:: +*`rsa.web.alias_host`*:: + -- type: keyword -- -*`rsa.time.recorded_time`*:: +*`rsa.web.reputation_num`*:: + -- -The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. +Reputation Number of an entity. Typically used for Web Domains -type: date +type: double -- -*`rsa.time.datetime`*:: +*`rsa.web.web_ref_domain`*:: + -- +Web referer's domain + type: keyword -- -*`rsa.time.effective_time`*:: +*`rsa.web.web_ref_query`*:: + -- -This key is the effective time referenced by an individual event in a Standard Timestamp format +This key captures Web referer's query portion of the URL -type: date +type: keyword -- -*`rsa.time.expire_time`*:: +*`rsa.web.remote_domain`*:: + -- -This key is the timestamp that explicitly refers to an expiration. - -type: date +type: keyword -- -*`rsa.time.process_time`*:: +*`rsa.web.web_ref_page`*:: + -- -Deprecated, use duration.time +This key captures Web referer's page information type: keyword -- -*`rsa.time.hour`*:: +*`rsa.web.web_ref_root`*:: + -- +Web referer's root URL path + type: keyword -- -*`rsa.time.min`*:: +*`rsa.web.cn_asn_dst`*:: + -- type: keyword -- -*`rsa.time.timestamp`*:: +*`rsa.web.cn_rpackets`*:: + -- type: keyword -- -*`rsa.time.event_queue_time`*:: +*`rsa.web.urlpage`*:: + -- -This key is the Time that the event was queued. - -type: date +type: keyword -- -*`rsa.time.p_time1`*:: +*`rsa.web.urlroot`*:: + -- type: keyword -- -*`rsa.time.tzone`*:: +*`rsa.web.p_url`*:: + -- type: keyword -- -*`rsa.time.eventtime`*:: +*`rsa.web.p_user_agent`*:: + -- type: keyword -- -*`rsa.time.gmtdate`*:: +*`rsa.web.p_web_cookie`*:: + -- type: keyword -- -*`rsa.time.gmttime`*:: +*`rsa.web.p_web_method`*:: + -- type: keyword -- -*`rsa.time.p_date`*:: +*`rsa.web.p_web_referer`*:: + -- type: keyword -- -*`rsa.time.p_month`*:: +*`rsa.web.web_extension_tmp`*:: + -- type: keyword -- -*`rsa.time.p_time`*:: +*`rsa.web.web_page`*:: + -- type: keyword -- -*`rsa.time.p_time2`*:: + +*`rsa.threat.threat_category`*:: + -- +This key captures Threat Name/Threat Category/Categorization of alert + type: keyword -- -*`rsa.time.p_year`*:: +*`rsa.threat.threat_desc`*:: + -- +This key is used to capture the threat description from the session directly or inferred + type: keyword -- -*`rsa.time.expire_time_str`*:: +*`rsa.threat.alert`*:: + -- -This key is used to capture incomplete timestamp that explicitly refers to an expiration. +This key is used to capture name of the alert type: keyword -- -*`rsa.time.stamp`*:: +*`rsa.threat.threat_source`*:: + -- -Deprecated key defined only in table map. +This key is used to capture source of the threat -type: date +type: keyword -- -*`rsa.misc.action`*:: +*`rsa.crypto.crypto`*:: + -- +This key is used to capture the Encryption Type or Encryption Key only + type: keyword -- -*`rsa.misc.result`*:: +*`rsa.crypto.cipher_src`*:: + -- -This key is used to capture the outcome/result string value of an action in a session. +This key is for Source (Client) Cipher type: keyword -- -*`rsa.misc.severity`*:: +*`rsa.crypto.cert_subject`*:: + -- -This key is used to capture the severity given the session +This key is used to capture the Certificate organization only type: keyword -- -*`rsa.misc.event_type`*:: +*`rsa.crypto.peer`*:: + -- -This key captures the event category type as specified by the event source. +This key is for Encryption peer's IP Address type: keyword -- -*`rsa.misc.reference_id`*:: +*`rsa.crypto.cipher_size_src`*:: + -- -This key is used to capture an event id from the session directly +This key captures Source (Client) Cipher Size -type: keyword +type: long -- -*`rsa.misc.version`*:: +*`rsa.crypto.ike`*:: + -- -This key captures Version of the application or OS which is generating the event. +IKE negotiation phase. type: keyword -- -*`rsa.misc.disposition`*:: +*`rsa.crypto.scheme`*:: + -- -This key captures the The end state of an action. +This key captures the Encryption scheme used type: keyword -- -*`rsa.misc.result_code`*:: +*`rsa.crypto.peer_id`*:: + -- -This key is used to capture the outcome/result numeric value of an action in a session +This key is for Encryption peer’s identity type: keyword -- -*`rsa.misc.category`*:: +*`rsa.crypto.sig_type`*:: + -- -This key is used to capture the category of an event given by the vendor in the session +This key captures the Signature Type type: keyword -- -*`rsa.misc.obj_name`*:: +*`rsa.crypto.cert_issuer`*:: + -- -This is used to capture name of object - type: keyword -- -*`rsa.misc.obj_type`*:: +*`rsa.crypto.cert_host_name`*:: + -- -This is used to capture type of object +Deprecated key defined only in table map. type: keyword -- -*`rsa.misc.event_source`*:: +*`rsa.crypto.cert_error`*:: + -- -This key captures Source of the event that’s not a hostname +This key captures the Certificate Error String type: keyword -- -*`rsa.misc.log_session_id`*:: +*`rsa.crypto.cipher_dst`*:: + -- -This key is used to capture a sessionid from the session directly +This key is for Destination (Server) Cipher type: keyword -- -*`rsa.misc.group`*:: +*`rsa.crypto.cipher_size_dst`*:: + -- -This key captures the Group Name value +This key captures Destination (Server) Cipher Size -type: keyword +type: long -- -*`rsa.misc.policy_name`*:: +*`rsa.crypto.ssl_ver_src`*:: + -- -This key is used to capture the Policy Name only. +Deprecated, use version type: keyword -- -*`rsa.misc.rule_name`*:: +*`rsa.crypto.d_certauth`*:: + -- -This key captures the Rule Name - type: keyword -- -*`rsa.misc.context`*:: +*`rsa.crypto.s_certauth`*:: + -- -This key captures Information which adds additional context to the event. - type: keyword -- -*`rsa.misc.change_new`*:: +*`rsa.crypto.ike_cookie1`*:: + -- -This key is used to capture the new values of the attribute that’s changing in a session +ID of the negotiation — sent for ISAKMP Phase One type: keyword -- -*`rsa.misc.space`*:: +*`rsa.crypto.ike_cookie2`*:: + -- +ID of the negotiation — sent for ISAKMP Phase Two + type: keyword -- -*`rsa.misc.client`*:: +*`rsa.crypto.cert_checksum`*:: + -- -This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - type: keyword -- -*`rsa.misc.msgIdPart1`*:: +*`rsa.crypto.cert_host_cat`*:: + -- +This key is used for the hostname category value of a certificate + type: keyword -- -*`rsa.misc.msgIdPart2`*:: +*`rsa.crypto.cert_serial`*:: + -- +This key is used to capture the Certificate serial number only + type: keyword -- -*`rsa.misc.change_old`*:: +*`rsa.crypto.cert_status`*:: + -- -This key is used to capture the old value of the attribute that’s changing in a session +This key captures Certificate validation status type: keyword -- -*`rsa.misc.operation_id`*:: +*`rsa.crypto.ssl_ver_dst`*:: + -- -An alert number or operation number. The values should be unique and non-repeating. +Deprecated, use version type: keyword -- -*`rsa.misc.event_state`*:: +*`rsa.crypto.cert_keysize`*:: + -- -This key captures the current state of the object/item referenced within the event. Describing an on-going event. - type: keyword -- -*`rsa.misc.group_object`*:: +*`rsa.crypto.cert_username`*:: + -- -This key captures a collection/grouping of entities. Specific usage - type: keyword -- -*`rsa.misc.node`*:: +*`rsa.crypto.https_insact`*:: + -- -Common use case is the node name within a cluster. The cluster name is reflected by the host name. - type: keyword -- -*`rsa.misc.rule`*:: +*`rsa.crypto.https_valid`*:: + -- -This key captures the Rule number - type: keyword -- -*`rsa.misc.device_name`*:: +*`rsa.crypto.cert_ca`*:: + -- -This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc +This key is used to capture the Certificate signing authority only type: keyword -- -*`rsa.misc.param`*:: +*`rsa.crypto.cert_common`*:: + -- -This key is the parameters passed as part of a command or application, etc. +This key is used to capture the Certificate common name only type: keyword -- -*`rsa.misc.change_attrib`*:: + +*`rsa.wireless.wlan_ssid`*:: + -- -This key is used to capture the name of the attribute that’s changing in a session +This key is used to capture the ssid of a Wireless Session type: keyword -- -*`rsa.misc.event_computer`*:: +*`rsa.wireless.access_point`*:: + -- -This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. +This key is used to capture the access point name. type: keyword -- -*`rsa.misc.reference_id1`*:: +*`rsa.wireless.wlan_channel`*:: + -- -This key is for Linked ID to be used as an addition to "reference.id" +This is used to capture the channel names -type: keyword +type: long -- -*`rsa.misc.event_log`*:: +*`rsa.wireless.wlan_name`*:: + -- -This key captures the Name of the event log +This key captures either WLAN number/name type: keyword -- -*`rsa.misc.OS`*:: + +*`rsa.storage.disk_volume`*:: + -- -This key captures the Name of the Operating System +A unique name assigned to logical units (volumes) within a physical disk type: keyword -- -*`rsa.misc.terminal`*:: +*`rsa.storage.lun`*:: + -- -This key captures the Terminal Names only +Logical Unit Number.This key is a very useful concept in Storage. type: keyword -- -*`rsa.misc.msgIdPart3`*:: +*`rsa.storage.pwwn`*:: + -- +This uniquely identifies a port on a HBA. + type: keyword -- -*`rsa.misc.filter`*:: + +*`rsa.physical.org_dst`*:: + -- -This key captures Filter used to reduce result set +This is used to capture the destination organization based on the GEOPIP Maxmind database. type: keyword -- -*`rsa.misc.serial_number`*:: +*`rsa.physical.org_src`*:: + -- -This key is the Serial number associated with a physical asset. +This is used to capture the source organization based on the GEOPIP Maxmind database. type: keyword -- -*`rsa.misc.checksum`*:: + +*`rsa.healthcare.patient_fname`*:: + -- -This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`rsa.misc.event_user`*:: +*`rsa.healthcare.patient_id`*:: + -- -This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. +This key captures the unique ID for a patient type: keyword -- -*`rsa.misc.virusname`*:: +*`rsa.healthcare.patient_lname`*:: + -- -This key captures the name of the virus +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`rsa.misc.content_type`*:: +*`rsa.healthcare.patient_mname`*:: + -- -This key is used to capture Content Type only. +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`rsa.misc.group_id`*:: + +*`rsa.endpoint.host_state`*:: + -- -This key captures Group ID Number (related to the group name) +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on type: keyword -- -*`rsa.misc.policy_id`*:: +*`rsa.endpoint.registry_key`*:: + -- -This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise +This key captures the path to the registry key type: keyword -- -*`rsa.misc.vsys`*:: +*`rsa.endpoint.registry_value`*:: + -- -This key captures Virtual System Name +This key captures values or decorators used within a registry entry type: keyword -- -*`rsa.misc.connection_id`*:: +[[exported-fields-fortinet]] +== Fortinet fields + +fortinet Module + + + +*`network.interface.name`*:: + -- -This key captures the Connection ID +Name of the network interface where the traffic has been observed. + type: keyword -- -*`rsa.misc.reference_id2`*:: + + +*`rsa.internal.msg`*:: + -- -This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. +This key is used to capture the raw message that comes into the Log Decoder type: keyword -- -*`rsa.misc.sensor`*:: +*`rsa.internal.messageid`*:: + -- -This key captures Name of the sensor. Typically used in IDS/IPS based devices - type: keyword -- -*`rsa.misc.sig_id`*:: +*`rsa.internal.event_desc`*:: + -- -This key captures IDS/IPS Int Signature ID - -type: long +type: keyword -- -*`rsa.misc.port_name`*:: +*`rsa.internal.message`*:: + -- -This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). +This key captures the contents of instant messages type: keyword -- -*`rsa.misc.rule_group`*:: +*`rsa.internal.time`*:: + -- -This key captures the Rule group name +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. -type: keyword +type: date -- -*`rsa.misc.risk_num`*:: +*`rsa.internal.level`*:: + -- -This key captures a Numeric Risk value +Deprecated key defined only in table map. -type: double +type: long -- -*`rsa.misc.trigger_val`*:: +*`rsa.internal.msg_id`*:: + -- -This key captures the Value of the trigger or threshold condition. +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.log_session_id1`*:: +*`rsa.internal.msg_vid`*:: + -- -This key is used to capture a Linked (Related) Session ID from the session directly +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.comp_version`*:: +*`rsa.internal.data`*:: + -- -This key captures the Version level of a sub-component of a product. +Deprecated key defined only in table map. type: keyword -- -*`rsa.misc.content_version`*:: +*`rsa.internal.obj_server`*:: + -- -This key captures Version level of a signature or database content. +Deprecated key defined only in table map. type: keyword -- -*`rsa.misc.hardware_id`*:: +*`rsa.internal.obj_val`*:: + -- -This key is used to capture unique identifier for a device or system (NOT a Mac address) +Deprecated key defined only in table map. type: keyword -- -*`rsa.misc.risk`*:: +*`rsa.internal.resource`*:: + -- -This key captures the non-numeric risk value +Deprecated key defined only in table map. type: keyword -- -*`rsa.misc.event_id`*:: +*`rsa.internal.obj_id`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.reason`*:: +*`rsa.internal.statement`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.status`*:: +*`rsa.internal.audit_class`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.mail_id`*:: +*`rsa.internal.entry`*:: + -- -This key is used to capture the mailbox id/name +Deprecated key defined only in table map. type: keyword -- -*`rsa.misc.rule_uid`*:: +*`rsa.internal.hcode`*:: + -- -This key is the Unique Identifier for a rule. +Deprecated key defined only in table map. type: keyword -- -*`rsa.misc.trigger_desc`*:: +*`rsa.internal.inode`*:: + -- -This key captures the Description of the trigger or threshold condition. +Deprecated key defined only in table map. -type: keyword +type: long -- -*`rsa.misc.inout`*:: +*`rsa.internal.resource_class`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.p_msgid`*:: +*`rsa.internal.dead`*:: + -- -type: keyword +Deprecated key defined only in table map. + +type: long -- -*`rsa.misc.data_type`*:: +*`rsa.internal.feed_desc`*:: + -- +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.msgIdPart4`*:: +*`rsa.internal.feed_name`*:: + -- +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.error`*:: +*`rsa.internal.cid`*:: + -- -This key captures All non successful Error codes or responses +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.index`*:: +*`rsa.internal.device_class`*:: + -- +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.listnum`*:: +*`rsa.internal.device_group`*:: + -- -This key is used to capture listname or listnumber, primarily for collecting access-list +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.ntype`*:: +*`rsa.internal.device_host`*:: + -- +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.observed_val`*:: +*`rsa.internal.device_ip`*:: + -- -This key captures the Value observed (from the perspective of the device generating the log). +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: ip -- -*`rsa.misc.policy_value`*:: +*`rsa.internal.device_ipv6`*:: + -- -This key captures the contents of the policy. This contains details about the policy +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: ip -- -*`rsa.misc.pool_name`*:: +*`rsa.internal.device_type`*:: + -- -This key captures the name of a resource pool +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.rule_template`*:: +*`rsa.internal.device_type_id`*:: + -- -A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template +Deprecated key defined only in table map. -type: keyword +type: long -- -*`rsa.misc.count`*:: +*`rsa.internal.did`*:: + -- +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.number`*:: +*`rsa.internal.entropy_req`*:: + -- -type: keyword +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long -- -*`rsa.misc.sigcat`*:: +*`rsa.internal.entropy_res`*:: + -- -type: keyword +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long -- -*`rsa.misc.type`*:: +*`rsa.internal.event_name`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.comments`*:: +*`rsa.internal.feed_category`*:: + -- -Comment information provided in the log message +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.doc_number`*:: +*`rsa.internal.forward_ip`*:: + -- -This key captures File Identification number +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. -type: long +type: ip -- -*`rsa.misc.expected_val`*:: +*`rsa.internal.forward_ipv6`*:: + -- -This key captures the Value expected (from the perspective of the device generating the log). +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: ip -- -*`rsa.misc.job_num`*:: +*`rsa.internal.header_id`*:: + -- -This key captures the Job Number +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.spi_dst`*:: +*`rsa.internal.lc_cid`*:: + -- -Destination SPI Index +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.spi_src`*:: +*`rsa.internal.lc_ctime`*:: + -- -Source SPI Index +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: date -- -*`rsa.misc.code`*:: +*`rsa.internal.mcb_req`*:: + -- -type: keyword +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + +type: long -- -*`rsa.misc.agent_id`*:: +*`rsa.internal.mcb_res`*:: + -- -This key is used to capture agent id +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most -type: keyword +type: long -- -*`rsa.misc.message_body`*:: +*`rsa.internal.mcbc_req`*:: + -- -This key captures the The contents of the message body. +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams -type: keyword +type: long -- -*`rsa.misc.phone`*:: +*`rsa.internal.mcbc_res`*:: + -- -type: keyword +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long -- -*`rsa.misc.sig_id_str`*:: +*`rsa.internal.medium`*:: + -- -This key captures a string object of the sigid variable. +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session -type: keyword +type: long -- -*`rsa.misc.cmd`*:: +*`rsa.internal.node_name`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.misc`*:: +*`rsa.internal.nwe_callback_id`*:: + -- +This key denotes that event is endpoint related + type: keyword -- -*`rsa.misc.name`*:: +*`rsa.internal.parse_error`*:: + -- +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.cpu`*:: +*`rsa.internal.payload_req`*:: + -- -This key is the CPU time used in the execution of the event being recorded. +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep type: long -- -*`rsa.misc.event_desc`*:: +*`rsa.internal.payload_res`*:: + -- -This key is used to capture a description of an event available directly or inferred +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep -type: keyword +type: long -- -*`rsa.misc.sig_id1`*:: +*`rsa.internal.process_vid_dst`*:: + -- -This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. -type: long +type: keyword -- -*`rsa.misc.im_buddyid`*:: +*`rsa.internal.process_vid_src`*:: + -- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + type: keyword -- -*`rsa.misc.im_client`*:: +*`rsa.internal.rid`*:: + -- -type: keyword +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long -- -*`rsa.misc.im_userid`*:: +*`rsa.internal.session_split`*:: + -- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.pid`*:: +*`rsa.internal.site`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.priority`*:: +*`rsa.internal.size`*:: + -- -type: keyword +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long -- -*`rsa.misc.context_subject`*:: +*`rsa.internal.sourcefile`*:: + -- -This key is to be used in an audit context where the subject is the object being identified +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.context_target`*:: +*`rsa.internal.ubc_req`*:: + -- -type: keyword +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long -- -*`rsa.misc.cve`*:: +*`rsa.internal.ubc_res`*:: + -- -This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once -type: keyword +type: long -- -*`rsa.misc.fcatnum`*:: +*`rsa.internal.word`*:: + -- -This key captures Filter Category Number. Legacy Usage +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log type: keyword -- -*`rsa.misc.library`*:: + +*`rsa.time.event_time`*:: + -- -This key is used to capture library information in mainframe devices +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form -type: keyword +type: date -- -*`rsa.misc.parent_node`*:: +*`rsa.time.duration_time`*:: + -- -This key captures the Parent Node Name. Must be related to node variable. +This key is used to capture the normalized duration/lifetime in seconds. -type: keyword +type: double -- -*`rsa.misc.risk_info`*:: +*`rsa.time.event_time_str`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) +This key is used to capture the incomplete time mentioned in a session as a string type: keyword -- -*`rsa.misc.tcp_flags`*:: +*`rsa.time.starttime`*:: + -- -This key is captures the TCP flags set in any packet of session +This key is used to capture the Start time mentioned in a session in a standard form -type: long +type: date -- -*`rsa.misc.tos`*:: +*`rsa.time.month`*:: + -- -This key describes the type of service - -type: long +type: keyword -- -*`rsa.misc.vm_target`*:: +*`rsa.time.day`*:: + -- -VMWare Target **VMWARE** only varaible. - type: keyword -- -*`rsa.misc.workspace`*:: +*`rsa.time.endtime`*:: + -- -This key captures Workspace Description +This key is used to capture the End time mentioned in a session in a standard form -type: keyword +type: date -- -*`rsa.misc.command`*:: +*`rsa.time.timezone`*:: + -- +This key is used to capture the timezone of the Event Time + type: keyword -- -*`rsa.misc.event_category`*:: +*`rsa.time.duration_str`*:: + -- +A text string version of the duration + type: keyword -- -*`rsa.misc.facilityname`*:: +*`rsa.time.date`*:: + -- type: keyword -- -*`rsa.misc.forensic_info`*:: +*`rsa.time.year`*:: + -- type: keyword -- -*`rsa.misc.jobname`*:: +*`rsa.time.recorded_time`*:: + -- -type: keyword +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + +type: date -- -*`rsa.misc.mode`*:: +*`rsa.time.datetime`*:: + -- type: keyword -- -*`rsa.misc.policy`*:: +*`rsa.time.effective_time`*:: + -- -type: keyword +This key is the effective time referenced by an individual event in a Standard Timestamp format + +type: date -- -*`rsa.misc.policy_waiver`*:: +*`rsa.time.expire_time`*:: + -- -type: keyword +This key is the timestamp that explicitly refers to an expiration. + +type: date -- -*`rsa.misc.second`*:: +*`rsa.time.process_time`*:: + -- +Deprecated, use duration.time + type: keyword -- -*`rsa.misc.space1`*:: +*`rsa.time.hour`*:: + -- type: keyword -- -*`rsa.misc.subcategory`*:: +*`rsa.time.min`*:: + -- type: keyword -- -*`rsa.misc.tbdstr2`*:: +*`rsa.time.timestamp`*:: + -- type: keyword -- -*`rsa.misc.alert_id`*:: +*`rsa.time.event_queue_time`*:: + -- -Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) +This key is the Time that the event was queued. -type: keyword +type: date -- -*`rsa.misc.checksum_dst`*:: +*`rsa.time.p_time1`*:: + -- -This key is used to capture the checksum or hash of the the target entity such as a process or file. - type: keyword -- -*`rsa.misc.checksum_src`*:: +*`rsa.time.tzone`*:: + -- -This key is used to capture the checksum or hash of the source entity such as a file or process. - type: keyword -- -*`rsa.misc.fresult`*:: +*`rsa.time.eventtime`*:: + -- -This key captures the Filter Result - -type: long +type: keyword -- -*`rsa.misc.payload_dst`*:: +*`rsa.time.gmtdate`*:: + -- -This key is used to capture destination payload - type: keyword -- -*`rsa.misc.payload_src`*:: +*`rsa.time.gmttime`*:: + -- -This key is used to capture source payload - type: keyword -- -*`rsa.misc.pool_id`*:: +*`rsa.time.p_date`*:: + -- -This key captures the identifier (typically numeric field) of a resource pool - type: keyword -- -*`rsa.misc.process_id_val`*:: +*`rsa.time.p_month`*:: + -- -This key is a failure key for Process ID when it is not an integer value - type: keyword -- -*`rsa.misc.risk_num_comm`*:: +*`rsa.time.p_time`*:: + -- -This key captures Risk Number Community - -type: double +type: keyword -- -*`rsa.misc.risk_num_next`*:: +*`rsa.time.p_time2`*:: + -- -This key captures Risk Number NextGen +type: keyword -type: double +-- + +*`rsa.time.p_year`*:: ++ +-- +type: keyword -- -*`rsa.misc.risk_num_sand`*:: +*`rsa.time.expire_time_str`*:: + -- -This key captures Risk Number SandBox +This key is used to capture incomplete timestamp that explicitly refers to an expiration. -type: double +type: keyword -- -*`rsa.misc.risk_num_static`*:: +*`rsa.time.stamp`*:: + -- -This key captures Risk Number Static +Deprecated key defined only in table map. -type: double +type: date -- -*`rsa.misc.risk_suspicious`*:: + +*`rsa.misc.action`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - type: keyword -- -*`rsa.misc.risk_warning`*:: +*`rsa.misc.result`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) +This key is used to capture the outcome/result string value of an action in a session. type: keyword -- -*`rsa.misc.snmp_oid`*:: +*`rsa.misc.severity`*:: + -- -SNMP Object Identifier +This key is used to capture the severity given the session type: keyword -- -*`rsa.misc.sql`*:: +*`rsa.misc.event_type`*:: + -- -This key captures the SQL query +This key captures the event category type as specified by the event source. type: keyword -- -*`rsa.misc.vuln_ref`*:: +*`rsa.misc.reference_id`*:: + -- -This key captures the Vulnerability Reference details +This key is used to capture an event id from the session directly type: keyword -- -*`rsa.misc.acl_id`*:: +*`rsa.misc.version`*:: + -- +This key captures Version of the application or OS which is generating the event. + type: keyword -- -*`rsa.misc.acl_op`*:: +*`rsa.misc.disposition`*:: + -- +This key captures the The end state of an action. + type: keyword -- -*`rsa.misc.acl_pos`*:: +*`rsa.misc.result_code`*:: + -- +This key is used to capture the outcome/result numeric value of an action in a session + type: keyword -- -*`rsa.misc.acl_table`*:: +*`rsa.misc.category`*:: + -- +This key is used to capture the category of an event given by the vendor in the session + type: keyword -- -*`rsa.misc.admin`*:: +*`rsa.misc.obj_name`*:: + -- +This is used to capture name of object + type: keyword -- -*`rsa.misc.alarm_id`*:: +*`rsa.misc.obj_type`*:: + -- +This is used to capture type of object + type: keyword -- -*`rsa.misc.alarmname`*:: +*`rsa.misc.event_source`*:: + -- +This key captures Source of the event that’s not a hostname + type: keyword -- -*`rsa.misc.app_id`*:: +*`rsa.misc.log_session_id`*:: + -- +This key is used to capture a sessionid from the session directly + type: keyword -- -*`rsa.misc.audit`*:: +*`rsa.misc.group`*:: + -- +This key captures the Group Name value + type: keyword -- -*`rsa.misc.audit_object`*:: +*`rsa.misc.policy_name`*:: + -- +This key is used to capture the Policy Name only. + type: keyword -- -*`rsa.misc.auditdata`*:: +*`rsa.misc.rule_name`*:: + -- +This key captures the Rule Name + type: keyword -- -*`rsa.misc.benchmark`*:: +*`rsa.misc.context`*:: + -- +This key captures Information which adds additional context to the event. + type: keyword -- -*`rsa.misc.bypass`*:: +*`rsa.misc.change_new`*:: + -- +This key is used to capture the new values of the attribute that’s changing in a session + type: keyword -- -*`rsa.misc.cache`*:: +*`rsa.misc.space`*:: + -- type: keyword -- -*`rsa.misc.cache_hit`*:: +*`rsa.misc.client`*:: + -- +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + type: keyword -- -*`rsa.misc.cefversion`*:: +*`rsa.misc.msgIdPart1`*:: + -- type: keyword -- -*`rsa.misc.cfg_attr`*:: +*`rsa.misc.msgIdPart2`*:: + -- type: keyword -- -*`rsa.misc.cfg_obj`*:: +*`rsa.misc.change_old`*:: + -- +This key is used to capture the old value of the attribute that’s changing in a session + type: keyword -- -*`rsa.misc.cfg_path`*:: +*`rsa.misc.operation_id`*:: + -- +An alert number or operation number. The values should be unique and non-repeating. + type: keyword -- -*`rsa.misc.changes`*:: +*`rsa.misc.event_state`*:: + -- +This key captures the current state of the object/item referenced within the event. Describing an on-going event. + type: keyword -- -*`rsa.misc.client_ip`*:: +*`rsa.misc.group_object`*:: + -- +This key captures a collection/grouping of entities. Specific usage + type: keyword -- -*`rsa.misc.clustermembers`*:: +*`rsa.misc.node`*:: + -- +Common use case is the node name within a cluster. The cluster name is reflected by the host name. + type: keyword -- -*`rsa.misc.cn_acttimeout`*:: +*`rsa.misc.rule`*:: + -- +This key captures the Rule number + type: keyword -- -*`rsa.misc.cn_asn_src`*:: +*`rsa.misc.device_name`*:: + -- +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc + type: keyword -- -*`rsa.misc.cn_bgpv4nxthop`*:: +*`rsa.misc.param`*:: + -- +This key is the parameters passed as part of a command or application, etc. + type: keyword -- -*`rsa.misc.cn_ctr_dst_code`*:: +*`rsa.misc.change_attrib`*:: + -- +This key is used to capture the name of the attribute that’s changing in a session + type: keyword -- -*`rsa.misc.cn_dst_tos`*:: +*`rsa.misc.event_computer`*:: + -- +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + type: keyword -- -*`rsa.misc.cn_dst_vlan`*:: +*`rsa.misc.reference_id1`*:: + -- +This key is for Linked ID to be used as an addition to "reference.id" + type: keyword -- -*`rsa.misc.cn_engine_id`*:: +*`rsa.misc.event_log`*:: + -- +This key captures the Name of the event log + type: keyword -- -*`rsa.misc.cn_engine_type`*:: +*`rsa.misc.OS`*:: + -- +This key captures the Name of the Operating System + type: keyword -- -*`rsa.misc.cn_f_switch`*:: +*`rsa.misc.terminal`*:: + -- +This key captures the Terminal Names only + type: keyword -- -*`rsa.misc.cn_flowsampid`*:: +*`rsa.misc.msgIdPart3`*:: + -- type: keyword -- -*`rsa.misc.cn_flowsampintv`*:: +*`rsa.misc.filter`*:: + -- +This key captures Filter used to reduce result set + type: keyword -- -*`rsa.misc.cn_flowsampmode`*:: +*`rsa.misc.serial_number`*:: + -- +This key is the Serial number associated with a physical asset. + type: keyword -- -*`rsa.misc.cn_inacttimeout`*:: +*`rsa.misc.checksum`*:: + -- +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + type: keyword -- -*`rsa.misc.cn_inpermbyts`*:: +*`rsa.misc.event_user`*:: + -- +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + type: keyword -- -*`rsa.misc.cn_inpermpckts`*:: +*`rsa.misc.virusname`*:: + -- +This key captures the name of the virus + type: keyword -- -*`rsa.misc.cn_invalid`*:: +*`rsa.misc.content_type`*:: + -- +This key is used to capture Content Type only. + type: keyword -- -*`rsa.misc.cn_ip_proto_ver`*:: +*`rsa.misc.group_id`*:: + -- +This key captures Group ID Number (related to the group name) + type: keyword -- -*`rsa.misc.cn_ipv4_ident`*:: +*`rsa.misc.policy_id`*:: + -- +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + type: keyword -- -*`rsa.misc.cn_l_switch`*:: +*`rsa.misc.vsys`*:: + -- +This key captures Virtual System Name + type: keyword -- -*`rsa.misc.cn_log_did`*:: +*`rsa.misc.connection_id`*:: + -- +This key captures the Connection ID + type: keyword -- -*`rsa.misc.cn_log_rid`*:: +*`rsa.misc.reference_id2`*:: + -- +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + type: keyword -- -*`rsa.misc.cn_max_ttl`*:: +*`rsa.misc.sensor`*:: + -- +This key captures Name of the sensor. Typically used in IDS/IPS based devices + type: keyword -- -*`rsa.misc.cn_maxpcktlen`*:: +*`rsa.misc.sig_id`*:: + -- -type: keyword +This key captures IDS/IPS Int Signature ID + +type: long -- -*`rsa.misc.cn_min_ttl`*:: +*`rsa.misc.port_name`*:: + -- +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). + type: keyword -- -*`rsa.misc.cn_minpcktlen`*:: +*`rsa.misc.rule_group`*:: + -- +This key captures the Rule group name + type: keyword -- -*`rsa.misc.cn_mpls_lbl_1`*:: +*`rsa.misc.risk_num`*:: + -- -type: keyword +This key captures a Numeric Risk value + +type: double -- -*`rsa.misc.cn_mpls_lbl_10`*:: +*`rsa.misc.trigger_val`*:: + -- +This key captures the Value of the trigger or threshold condition. + type: keyword -- -*`rsa.misc.cn_mpls_lbl_2`*:: +*`rsa.misc.log_session_id1`*:: + -- +This key is used to capture a Linked (Related) Session ID from the session directly + type: keyword -- -*`rsa.misc.cn_mpls_lbl_3`*:: +*`rsa.misc.comp_version`*:: + -- +This key captures the Version level of a sub-component of a product. + type: keyword -- -*`rsa.misc.cn_mpls_lbl_4`*:: +*`rsa.misc.content_version`*:: + -- +This key captures Version level of a signature or database content. + type: keyword -- -*`rsa.misc.cn_mpls_lbl_5`*:: +*`rsa.misc.hardware_id`*:: + -- +This key is used to capture unique identifier for a device or system (NOT a Mac address) + type: keyword -- -*`rsa.misc.cn_mpls_lbl_6`*:: +*`rsa.misc.risk`*:: + -- +This key captures the non-numeric risk value + type: keyword -- -*`rsa.misc.cn_mpls_lbl_7`*:: +*`rsa.misc.event_id`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_8`*:: +*`rsa.misc.reason`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_9`*:: +*`rsa.misc.status`*:: + -- type: keyword -- -*`rsa.misc.cn_mplstoplabel`*:: +*`rsa.misc.mail_id`*:: + -- +This key is used to capture the mailbox id/name + type: keyword -- -*`rsa.misc.cn_mplstoplabip`*:: +*`rsa.misc.rule_uid`*:: + -- +This key is the Unique Identifier for a rule. + type: keyword -- -*`rsa.misc.cn_mul_dst_byt`*:: +*`rsa.misc.trigger_desc`*:: + -- +This key captures the Description of the trigger or threshold condition. + type: keyword -- -*`rsa.misc.cn_mul_dst_pks`*:: +*`rsa.misc.inout`*:: + -- type: keyword -- -*`rsa.misc.cn_muligmptype`*:: +*`rsa.misc.p_msgid`*:: + -- type: keyword -- -*`rsa.misc.cn_sampalgo`*:: +*`rsa.misc.data_type`*:: + -- type: keyword -- -*`rsa.misc.cn_sampint`*:: +*`rsa.misc.msgIdPart4`*:: + -- type: keyword -- -*`rsa.misc.cn_seqctr`*:: +*`rsa.misc.error`*:: + -- +This key captures All non successful Error codes or responses + type: keyword -- -*`rsa.misc.cn_spackets`*:: +*`rsa.misc.index`*:: + -- type: keyword -- -*`rsa.misc.cn_src_tos`*:: +*`rsa.misc.listnum`*:: + -- +This key is used to capture listname or listnumber, primarily for collecting access-list + type: keyword -- -*`rsa.misc.cn_src_vlan`*:: +*`rsa.misc.ntype`*:: + -- type: keyword -- -*`rsa.misc.cn_sysuptime`*:: +*`rsa.misc.observed_val`*:: + -- +This key captures the Value observed (from the perspective of the device generating the log). + type: keyword -- -*`rsa.misc.cn_template_id`*:: +*`rsa.misc.policy_value`*:: + -- +This key captures the contents of the policy. This contains details about the policy + type: keyword -- -*`rsa.misc.cn_totbytsexp`*:: +*`rsa.misc.pool_name`*:: + -- +This key captures the name of a resource pool + type: keyword -- -*`rsa.misc.cn_totflowexp`*:: +*`rsa.misc.rule_template`*:: + -- +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + type: keyword -- -*`rsa.misc.cn_totpcktsexp`*:: +*`rsa.misc.count`*:: + -- type: keyword -- -*`rsa.misc.cn_unixnanosecs`*:: +*`rsa.misc.number`*:: + -- type: keyword -- -*`rsa.misc.cn_v6flowlabel`*:: +*`rsa.misc.sigcat`*:: + -- type: keyword -- -*`rsa.misc.cn_v6optheaders`*:: +*`rsa.misc.type`*:: + -- type: keyword -- -*`rsa.misc.comp_class`*:: +*`rsa.misc.comments`*:: + -- +Comment information provided in the log message + type: keyword -- -*`rsa.misc.comp_name`*:: +*`rsa.misc.doc_number`*:: + -- -type: keyword +This key captures File Identification number + +type: long -- -*`rsa.misc.comp_rbytes`*:: +*`rsa.misc.expected_val`*:: + -- +This key captures the Value expected (from the perspective of the device generating the log). + type: keyword -- -*`rsa.misc.comp_sbytes`*:: +*`rsa.misc.job_num`*:: + -- +This key captures the Job Number + type: keyword -- -*`rsa.misc.cpu_data`*:: +*`rsa.misc.spi_dst`*:: + -- +Destination SPI Index + type: keyword -- -*`rsa.misc.criticality`*:: +*`rsa.misc.spi_src`*:: + -- +Source SPI Index + type: keyword -- -*`rsa.misc.cs_agency_dst`*:: +*`rsa.misc.code`*:: + -- type: keyword -- -*`rsa.misc.cs_analyzedby`*:: +*`rsa.misc.agent_id`*:: + -- +This key is used to capture agent id + type: keyword -- -*`rsa.misc.cs_av_other`*:: +*`rsa.misc.message_body`*:: + -- +This key captures the The contents of the message body. + type: keyword -- -*`rsa.misc.cs_av_primary`*:: +*`rsa.misc.phone`*:: + -- type: keyword -- -*`rsa.misc.cs_av_secondary`*:: +*`rsa.misc.sig_id_str`*:: + -- +This key captures a string object of the sigid variable. + type: keyword -- -*`rsa.misc.cs_bgpv6nxthop`*:: +*`rsa.misc.cmd`*:: + -- type: keyword -- -*`rsa.misc.cs_bit9status`*:: +*`rsa.misc.misc`*:: + -- type: keyword -- -*`rsa.misc.cs_context`*:: +*`rsa.misc.name`*:: + -- type: keyword -- -*`rsa.misc.cs_control`*:: +*`rsa.misc.cpu`*:: + -- -type: keyword +This key is the CPU time used in the execution of the event being recorded. + +type: long -- -*`rsa.misc.cs_data`*:: +*`rsa.misc.event_desc`*:: + -- +This key is used to capture a description of an event available directly or inferred + type: keyword -- -*`rsa.misc.cs_datecret`*:: +*`rsa.misc.sig_id1`*:: + -- -type: keyword +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + +type: long -- -*`rsa.misc.cs_dst_tld`*:: +*`rsa.misc.im_buddyid`*:: + -- type: keyword -- -*`rsa.misc.cs_eth_dst_ven`*:: +*`rsa.misc.im_client`*:: + -- type: keyword -- -*`rsa.misc.cs_eth_src_ven`*:: +*`rsa.misc.im_userid`*:: + -- type: keyword -- -*`rsa.misc.cs_event_uuid`*:: +*`rsa.misc.pid`*:: + -- type: keyword -- -*`rsa.misc.cs_filetype`*:: +*`rsa.misc.priority`*:: + -- type: keyword -- -*`rsa.misc.cs_fld`*:: +*`rsa.misc.context_subject`*:: + -- +This key is to be used in an audit context where the subject is the object being identified + type: keyword -- -*`rsa.misc.cs_if_desc`*:: +*`rsa.misc.context_target`*:: + -- type: keyword -- -*`rsa.misc.cs_if_name`*:: +*`rsa.misc.cve`*:: + -- +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + type: keyword -- -*`rsa.misc.cs_ip_next_hop`*:: +*`rsa.misc.fcatnum`*:: + -- +This key captures Filter Category Number. Legacy Usage + type: keyword -- -*`rsa.misc.cs_ipv4dstpre`*:: +*`rsa.misc.library`*:: + -- +This key is used to capture library information in mainframe devices + type: keyword -- -*`rsa.misc.cs_ipv4srcpre`*:: +*`rsa.misc.parent_node`*:: + -- +This key captures the Parent Node Name. Must be related to node variable. + type: keyword -- -*`rsa.misc.cs_lifetime`*:: +*`rsa.misc.risk_info`*:: + -- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + type: keyword -- -*`rsa.misc.cs_log_medium`*:: +*`rsa.misc.tcp_flags`*:: + -- -type: keyword +This key is captures the TCP flags set in any packet of session + +type: long -- -*`rsa.misc.cs_loginname`*:: +*`rsa.misc.tos`*:: + -- -type: keyword +This key describes the type of service + +type: long -- -*`rsa.misc.cs_modulescore`*:: +*`rsa.misc.vm_target`*:: + -- +VMWare Target **VMWARE** only varaible. + type: keyword -- -*`rsa.misc.cs_modulesign`*:: +*`rsa.misc.workspace`*:: + -- +This key captures Workspace Description + type: keyword -- -*`rsa.misc.cs_opswatresult`*:: +*`rsa.misc.command`*:: + -- type: keyword -- -*`rsa.misc.cs_payload`*:: +*`rsa.misc.event_category`*:: + -- type: keyword -- -*`rsa.misc.cs_registrant`*:: +*`rsa.misc.facilityname`*:: + -- type: keyword -- -*`rsa.misc.cs_registrar`*:: +*`rsa.misc.forensic_info`*:: + -- type: keyword -- -*`rsa.misc.cs_represult`*:: +*`rsa.misc.jobname`*:: + -- type: keyword -- -*`rsa.misc.cs_rpayload`*:: +*`rsa.misc.mode`*:: + -- type: keyword -- -*`rsa.misc.cs_sampler_name`*:: +*`rsa.misc.policy`*:: + -- type: keyword -- -*`rsa.misc.cs_sourcemodule`*:: +*`rsa.misc.policy_waiver`*:: + -- type: keyword -- -*`rsa.misc.cs_streams`*:: +*`rsa.misc.second`*:: + -- type: keyword -- -*`rsa.misc.cs_targetmodule`*:: +*`rsa.misc.space1`*:: + -- type: keyword -- -*`rsa.misc.cs_v6nxthop`*:: +*`rsa.misc.subcategory`*:: + -- type: keyword -- -*`rsa.misc.cs_whois_server`*:: +*`rsa.misc.tbdstr2`*:: + -- type: keyword -- -*`rsa.misc.cs_yararesult`*:: +*`rsa.misc.alert_id`*:: + -- +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + type: keyword -- -*`rsa.misc.description`*:: +*`rsa.misc.checksum_dst`*:: + -- +This key is used to capture the checksum or hash of the the target entity such as a process or file. + type: keyword -- -*`rsa.misc.devvendor`*:: +*`rsa.misc.checksum_src`*:: + -- +This key is used to capture the checksum or hash of the source entity such as a file or process. + type: keyword -- -*`rsa.misc.distance`*:: +*`rsa.misc.fresult`*:: + -- -type: keyword +This key captures the Filter Result + +type: long -- -*`rsa.misc.dstburb`*:: +*`rsa.misc.payload_dst`*:: + -- +This key is used to capture destination payload + type: keyword -- -*`rsa.misc.edomain`*:: +*`rsa.misc.payload_src`*:: + -- +This key is used to capture source payload + type: keyword -- -*`rsa.misc.edomaub`*:: +*`rsa.misc.pool_id`*:: + -- +This key captures the identifier (typically numeric field) of a resource pool + type: keyword -- -*`rsa.misc.euid`*:: +*`rsa.misc.process_id_val`*:: + -- +This key is a failure key for Process ID when it is not an integer value + type: keyword -- -*`rsa.misc.facility`*:: +*`rsa.misc.risk_num_comm`*:: + -- -type: keyword +This key captures Risk Number Community + +type: double -- -*`rsa.misc.finterface`*:: +*`rsa.misc.risk_num_next`*:: + -- -type: keyword +This key captures Risk Number NextGen + +type: double -- -*`rsa.misc.flags`*:: +*`rsa.misc.risk_num_sand`*:: + -- -type: keyword +This key captures Risk Number SandBox + +type: double -- -*`rsa.misc.gaddr`*:: +*`rsa.misc.risk_num_static`*:: + -- -type: keyword +This key captures Risk Number Static + +type: double -- -*`rsa.misc.id3`*:: +*`rsa.misc.risk_suspicious`*:: + -- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + type: keyword -- -*`rsa.misc.im_buddyname`*:: +*`rsa.misc.risk_warning`*:: + -- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + type: keyword -- -*`rsa.misc.im_croomid`*:: +*`rsa.misc.snmp_oid`*:: + -- +SNMP Object Identifier + type: keyword -- -*`rsa.misc.im_croomtype`*:: +*`rsa.misc.sql`*:: + -- +This key captures the SQL query + type: keyword -- -*`rsa.misc.im_members`*:: +*`rsa.misc.vuln_ref`*:: + -- +This key captures the Vulnerability Reference details + type: keyword -- -*`rsa.misc.im_username`*:: +*`rsa.misc.acl_id`*:: + -- type: keyword -- -*`rsa.misc.ipkt`*:: +*`rsa.misc.acl_op`*:: + -- type: keyword -- -*`rsa.misc.ipscat`*:: +*`rsa.misc.acl_pos`*:: + -- type: keyword -- -*`rsa.misc.ipspri`*:: +*`rsa.misc.acl_table`*:: + -- type: keyword -- -*`rsa.misc.latitude`*:: +*`rsa.misc.admin`*:: + -- type: keyword -- -*`rsa.misc.linenum`*:: +*`rsa.misc.alarm_id`*:: + -- type: keyword -- -*`rsa.misc.list_name`*:: +*`rsa.misc.alarmname`*:: + -- type: keyword -- -*`rsa.misc.load_data`*:: +*`rsa.misc.app_id`*:: + -- type: keyword -- -*`rsa.misc.location_floor`*:: +*`rsa.misc.audit`*:: + -- type: keyword -- -*`rsa.misc.location_mark`*:: +*`rsa.misc.audit_object`*:: + -- type: keyword -- -*`rsa.misc.log_id`*:: +*`rsa.misc.auditdata`*:: + -- type: keyword -- -*`rsa.misc.log_type`*:: +*`rsa.misc.benchmark`*:: + -- type: keyword -- -*`rsa.misc.logid`*:: +*`rsa.misc.bypass`*:: + -- type: keyword -- -*`rsa.misc.logip`*:: +*`rsa.misc.cache`*:: + -- type: keyword -- -*`rsa.misc.logname`*:: +*`rsa.misc.cache_hit`*:: + -- type: keyword -- -*`rsa.misc.longitude`*:: +*`rsa.misc.cefversion`*:: + -- type: keyword -- -*`rsa.misc.lport`*:: +*`rsa.misc.cfg_attr`*:: + -- type: keyword -- -*`rsa.misc.mbug_data`*:: +*`rsa.misc.cfg_obj`*:: + -- type: keyword -- -*`rsa.misc.misc_name`*:: +*`rsa.misc.cfg_path`*:: + -- type: keyword -- -*`rsa.misc.msg_type`*:: +*`rsa.misc.changes`*:: + -- type: keyword -- -*`rsa.misc.msgid`*:: +*`rsa.misc.client_ip`*:: + -- type: keyword -- -*`rsa.misc.netsessid`*:: +*`rsa.misc.clustermembers`*:: + -- type: keyword -- -*`rsa.misc.num`*:: +*`rsa.misc.cn_acttimeout`*:: + -- type: keyword -- -*`rsa.misc.number1`*:: +*`rsa.misc.cn_asn_src`*:: + -- type: keyword -- -*`rsa.misc.number2`*:: +*`rsa.misc.cn_bgpv4nxthop`*:: + -- type: keyword -- -*`rsa.misc.nwwn`*:: +*`rsa.misc.cn_ctr_dst_code`*:: + -- type: keyword -- -*`rsa.misc.object`*:: +*`rsa.misc.cn_dst_tos`*:: + -- type: keyword -- -*`rsa.misc.operation`*:: +*`rsa.misc.cn_dst_vlan`*:: + -- type: keyword -- -*`rsa.misc.opkt`*:: +*`rsa.misc.cn_engine_id`*:: + -- type: keyword -- -*`rsa.misc.orig_from`*:: +*`rsa.misc.cn_engine_type`*:: + -- type: keyword -- -*`rsa.misc.owner_id`*:: +*`rsa.misc.cn_f_switch`*:: + -- type: keyword -- -*`rsa.misc.p_action`*:: +*`rsa.misc.cn_flowsampid`*:: + -- type: keyword -- -*`rsa.misc.p_filter`*:: +*`rsa.misc.cn_flowsampintv`*:: + -- type: keyword -- -*`rsa.misc.p_group_object`*:: +*`rsa.misc.cn_flowsampmode`*:: + -- type: keyword -- -*`rsa.misc.p_id`*:: +*`rsa.misc.cn_inacttimeout`*:: + -- type: keyword -- -*`rsa.misc.p_msgid1`*:: +*`rsa.misc.cn_inpermbyts`*:: + -- type: keyword -- -*`rsa.misc.p_msgid2`*:: +*`rsa.misc.cn_inpermpckts`*:: + -- type: keyword -- -*`rsa.misc.p_result1`*:: +*`rsa.misc.cn_invalid`*:: + -- type: keyword -- -*`rsa.misc.password_chg`*:: +*`rsa.misc.cn_ip_proto_ver`*:: + -- type: keyword -- -*`rsa.misc.password_expire`*:: +*`rsa.misc.cn_ipv4_ident`*:: + -- type: keyword -- -*`rsa.misc.permgranted`*:: +*`rsa.misc.cn_l_switch`*:: + -- type: keyword -- -*`rsa.misc.permwanted`*:: +*`rsa.misc.cn_log_did`*:: + -- type: keyword -- -*`rsa.misc.pgid`*:: +*`rsa.misc.cn_log_rid`*:: + -- type: keyword -- -*`rsa.misc.policyUUID`*:: +*`rsa.misc.cn_max_ttl`*:: + -- type: keyword -- -*`rsa.misc.prog_asp_num`*:: +*`rsa.misc.cn_maxpcktlen`*:: + -- type: keyword -- -*`rsa.misc.program`*:: +*`rsa.misc.cn_min_ttl`*:: + -- type: keyword -- -*`rsa.misc.real_data`*:: +*`rsa.misc.cn_minpcktlen`*:: + -- type: keyword -- -*`rsa.misc.rec_asp_device`*:: +*`rsa.misc.cn_mpls_lbl_1`*:: + -- type: keyword -- -*`rsa.misc.rec_asp_num`*:: +*`rsa.misc.cn_mpls_lbl_10`*:: + -- type: keyword -- -*`rsa.misc.rec_library`*:: +*`rsa.misc.cn_mpls_lbl_2`*:: + -- type: keyword -- -*`rsa.misc.recordnum`*:: +*`rsa.misc.cn_mpls_lbl_3`*:: + -- type: keyword -- -*`rsa.misc.ruid`*:: +*`rsa.misc.cn_mpls_lbl_4`*:: + -- type: keyword -- -*`rsa.misc.sburb`*:: +*`rsa.misc.cn_mpls_lbl_5`*:: + -- type: keyword -- -*`rsa.misc.sdomain_fld`*:: +*`rsa.misc.cn_mpls_lbl_6`*:: + -- type: keyword -- -*`rsa.misc.sec`*:: +*`rsa.misc.cn_mpls_lbl_7`*:: + -- type: keyword -- -*`rsa.misc.sensorname`*:: +*`rsa.misc.cn_mpls_lbl_8`*:: + -- type: keyword -- -*`rsa.misc.seqnum`*:: +*`rsa.misc.cn_mpls_lbl_9`*:: + -- type: keyword -- -*`rsa.misc.session`*:: +*`rsa.misc.cn_mplstoplabel`*:: + -- type: keyword -- -*`rsa.misc.sessiontype`*:: +*`rsa.misc.cn_mplstoplabip`*:: + -- type: keyword -- -*`rsa.misc.sigUUID`*:: +*`rsa.misc.cn_mul_dst_byt`*:: + -- type: keyword -- -*`rsa.misc.spi`*:: +*`rsa.misc.cn_mul_dst_pks`*:: + -- type: keyword -- -*`rsa.misc.srcburb`*:: +*`rsa.misc.cn_muligmptype`*:: + -- type: keyword -- -*`rsa.misc.srcdom`*:: +*`rsa.misc.cn_sampalgo`*:: + -- type: keyword -- -*`rsa.misc.srcservice`*:: +*`rsa.misc.cn_sampint`*:: + -- type: keyword -- -*`rsa.misc.state`*:: +*`rsa.misc.cn_seqctr`*:: + -- type: keyword -- -*`rsa.misc.status1`*:: +*`rsa.misc.cn_spackets`*:: + -- type: keyword -- -*`rsa.misc.svcno`*:: +*`rsa.misc.cn_src_tos`*:: + -- type: keyword -- -*`rsa.misc.system`*:: +*`rsa.misc.cn_src_vlan`*:: + -- type: keyword -- -*`rsa.misc.tbdstr1`*:: +*`rsa.misc.cn_sysuptime`*:: + -- type: keyword -- -*`rsa.misc.tgtdom`*:: +*`rsa.misc.cn_template_id`*:: + -- type: keyword -- -*`rsa.misc.tgtdomain`*:: +*`rsa.misc.cn_totbytsexp`*:: + -- type: keyword -- -*`rsa.misc.threshold`*:: +*`rsa.misc.cn_totflowexp`*:: + -- type: keyword -- -*`rsa.misc.type1`*:: +*`rsa.misc.cn_totpcktsexp`*:: + -- type: keyword -- -*`rsa.misc.udb_class`*:: +*`rsa.misc.cn_unixnanosecs`*:: + -- type: keyword -- -*`rsa.misc.url_fld`*:: +*`rsa.misc.cn_v6flowlabel`*:: + -- type: keyword -- -*`rsa.misc.user_div`*:: +*`rsa.misc.cn_v6optheaders`*:: + -- type: keyword -- -*`rsa.misc.userid`*:: +*`rsa.misc.comp_class`*:: + -- type: keyword -- -*`rsa.misc.username_fld`*:: +*`rsa.misc.comp_name`*:: + -- type: keyword -- -*`rsa.misc.utcstamp`*:: +*`rsa.misc.comp_rbytes`*:: + -- type: keyword -- -*`rsa.misc.v_instafname`*:: +*`rsa.misc.comp_sbytes`*:: + -- type: keyword -- -*`rsa.misc.virt_data`*:: +*`rsa.misc.cpu_data`*:: + -- type: keyword -- -*`rsa.misc.vpnid`*:: +*`rsa.misc.criticality`*:: + -- type: keyword -- -*`rsa.misc.autorun_type`*:: +*`rsa.misc.cs_agency_dst`*:: + -- -This is used to capture Auto Run type - type: keyword -- -*`rsa.misc.cc_number`*:: +*`rsa.misc.cs_analyzedby`*:: + -- -Valid Credit Card Numbers only - -type: long +type: keyword -- -*`rsa.misc.content`*:: +*`rsa.misc.cs_av_other`*:: + -- -This key captures the content type from protocol headers - type: keyword -- -*`rsa.misc.ein_number`*:: +*`rsa.misc.cs_av_primary`*:: + -- -Employee Identification Numbers only - -type: long +type: keyword -- -*`rsa.misc.found`*:: +*`rsa.misc.cs_av_secondary`*:: + -- -This is used to capture the results of regex match - type: keyword -- -*`rsa.misc.language`*:: +*`rsa.misc.cs_bgpv6nxthop`*:: + -- -This is used to capture list of languages the client support and what it prefers - type: keyword -- -*`rsa.misc.lifetime`*:: +*`rsa.misc.cs_bit9status`*:: + -- -This key is used to capture the session lifetime in seconds. - -type: long +type: keyword -- -*`rsa.misc.link`*:: +*`rsa.misc.cs_context`*:: + -- -This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.misc.match`*:: +*`rsa.misc.cs_control`*:: + -- -This key is for regex match name from search.ini - type: keyword -- -*`rsa.misc.param_dst`*:: +*`rsa.misc.cs_data`*:: + -- -This key captures the command line/launch argument of the target process or file - type: keyword -- -*`rsa.misc.param_src`*:: +*`rsa.misc.cs_datecret`*:: + -- -This key captures source parameter - type: keyword -- -*`rsa.misc.search_text`*:: +*`rsa.misc.cs_dst_tld`*:: + -- -This key captures the Search Text used - type: keyword -- -*`rsa.misc.sig_name`*:: +*`rsa.misc.cs_eth_dst_ven`*:: + -- -This key is used to capture the Signature Name only. - type: keyword -- -*`rsa.misc.snmp_value`*:: +*`rsa.misc.cs_eth_src_ven`*:: + -- -SNMP set request value - type: keyword -- -*`rsa.misc.streams`*:: +*`rsa.misc.cs_event_uuid`*:: + -- -This key captures number of streams in session - -type: long +type: keyword -- - -*`rsa.db.index`*:: +*`rsa.misc.cs_filetype`*:: + -- -This key captures IndexID of the index. - type: keyword -- -*`rsa.db.instance`*:: +*`rsa.misc.cs_fld`*:: + -- -This key is used to capture the database server instance name - type: keyword -- -*`rsa.db.database`*:: +*`rsa.misc.cs_if_desc`*:: + -- -This key is used to capture the name of a database or an instance as seen in a session - type: keyword -- -*`rsa.db.transact_id`*:: +*`rsa.misc.cs_if_name`*:: + -- -This key captures the SQL transantion ID of the current session - type: keyword -- -*`rsa.db.permissions`*:: +*`rsa.misc.cs_ip_next_hop`*:: + -- -This key captures permission or privilege level assigned to a resource. - type: keyword -- -*`rsa.db.table_name`*:: +*`rsa.misc.cs_ipv4dstpre`*:: + -- -This key is used to capture the table name - type: keyword -- -*`rsa.db.db_id`*:: +*`rsa.misc.cs_ipv4srcpre`*:: + -- -This key is used to capture the unique identifier for a database - type: keyword -- -*`rsa.db.db_pid`*:: +*`rsa.misc.cs_lifetime`*:: + -- -This key captures the process id of a connection with database server - -type: long +type: keyword -- -*`rsa.db.lread`*:: +*`rsa.misc.cs_log_medium`*:: + -- -This key is used for the number of logical reads - -type: long +type: keyword -- -*`rsa.db.lwrite`*:: +*`rsa.misc.cs_loginname`*:: + -- -This key is used for the number of logical writes - -type: long +type: keyword -- -*`rsa.db.pread`*:: +*`rsa.misc.cs_modulescore`*:: + -- -This key is used for the number of physical writes - -type: long +type: keyword -- - -*`rsa.network.alias_host`*:: +*`rsa.misc.cs_modulesign`*:: + -- -This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - type: keyword -- -*`rsa.network.domain`*:: +*`rsa.misc.cs_opswatresult`*:: + -- type: keyword -- -*`rsa.network.host_dst`*:: +*`rsa.misc.cs_payload`*:: + -- -This key should only be used when it’s a Destination Hostname - type: keyword -- -*`rsa.network.network_service`*:: +*`rsa.misc.cs_registrant`*:: + -- -This is used to capture layer 7 protocols/service names - type: keyword -- -*`rsa.network.interface`*:: +*`rsa.misc.cs_registrar`*:: + -- -This key should be used when the source or destination context of an interface is not clear - type: keyword -- -*`rsa.network.network_port`*:: +*`rsa.misc.cs_represult`*:: + -- -Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) - -type: long +type: keyword -- -*`rsa.network.eth_host`*:: +*`rsa.misc.cs_rpayload`*:: + -- -Deprecated, use alias.mac - type: keyword -- -*`rsa.network.sinterface`*:: +*`rsa.misc.cs_sampler_name`*:: + -- -This key should only be used when it’s a Source Interface - type: keyword -- -*`rsa.network.dinterface`*:: +*`rsa.misc.cs_sourcemodule`*:: + -- -This key should only be used when it’s a Destination Interface - type: keyword -- -*`rsa.network.vlan`*:: +*`rsa.misc.cs_streams`*:: + -- -This key should only be used to capture the ID of the Virtual LAN - -type: long +type: keyword -- -*`rsa.network.zone_src`*:: +*`rsa.misc.cs_targetmodule`*:: + -- -This key should only be used when it’s a Source Zone. - type: keyword -- -*`rsa.network.zone`*:: +*`rsa.misc.cs_v6nxthop`*:: + -- -This key should be used when the source or destination context of a Zone is not clear - type: keyword -- -*`rsa.network.zone_dst`*:: +*`rsa.misc.cs_whois_server`*:: + -- -This key should only be used when it’s a Destination Zone. - type: keyword -- -*`rsa.network.gateway`*:: +*`rsa.misc.cs_yararesult`*:: + -- -This key is used to capture the IP Address of the gateway - type: keyword -- -*`rsa.network.icmp_type`*:: +*`rsa.misc.description`*:: + -- -This key is used to capture the ICMP type only - -type: long +type: keyword -- -*`rsa.network.mask`*:: +*`rsa.misc.devvendor`*:: + -- -This key is used to capture the device network IPmask. - type: keyword -- -*`rsa.network.icmp_code`*:: +*`rsa.misc.distance`*:: + -- -This key is used to capture the ICMP code only - -type: long +type: keyword -- -*`rsa.network.protocol_detail`*:: +*`rsa.misc.dstburb`*:: + -- -This key should be used to capture additional protocol information - type: keyword -- -*`rsa.network.dmask`*:: +*`rsa.misc.edomain`*:: + -- -This key is used for Destionation Device network mask - type: keyword -- -*`rsa.network.port`*:: +*`rsa.misc.edomaub`*:: + -- -This key should only be used to capture a Network Port when the directionality is not clear - -type: long +type: keyword -- -*`rsa.network.smask`*:: +*`rsa.misc.euid`*:: + -- -This key is used for capturing source Network Mask - type: keyword -- -*`rsa.network.netname`*:: +*`rsa.misc.facility`*:: + -- -This key is used to capture the network name associated with an IP range. This is configured by the end user. - type: keyword -- -*`rsa.network.paddr`*:: +*`rsa.misc.finterface`*:: + -- -Deprecated - -type: ip +type: keyword -- -*`rsa.network.faddr`*:: +*`rsa.misc.flags`*:: + -- type: keyword -- -*`rsa.network.lhost`*:: +*`rsa.misc.gaddr`*:: + -- type: keyword -- -*`rsa.network.origin`*:: +*`rsa.misc.id3`*:: + -- type: keyword -- -*`rsa.network.remote_domain_id`*:: +*`rsa.misc.im_buddyname`*:: + -- type: keyword -- -*`rsa.network.addr`*:: +*`rsa.misc.im_croomid`*:: + -- type: keyword -- -*`rsa.network.dns_a_record`*:: +*`rsa.misc.im_croomtype`*:: + -- type: keyword -- -*`rsa.network.dns_ptr_record`*:: +*`rsa.misc.im_members`*:: + -- type: keyword -- -*`rsa.network.fhost`*:: +*`rsa.misc.im_username`*:: + -- type: keyword -- -*`rsa.network.fport`*:: +*`rsa.misc.ipkt`*:: + -- type: keyword -- -*`rsa.network.laddr`*:: +*`rsa.misc.ipscat`*:: + -- type: keyword -- -*`rsa.network.linterface`*:: +*`rsa.misc.ipspri`*:: + -- type: keyword -- -*`rsa.network.phost`*:: +*`rsa.misc.latitude`*:: + -- type: keyword -- -*`rsa.network.ad_computer_dst`*:: +*`rsa.misc.linenum`*:: + -- -Deprecated, use host.dst - type: keyword -- -*`rsa.network.eth_type`*:: +*`rsa.misc.list_name`*:: + -- -This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - -type: long +type: keyword -- -*`rsa.network.ip_proto`*:: +*`rsa.misc.load_data`*:: + -- -This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - -type: long +type: keyword -- -*`rsa.network.dns_cname_record`*:: +*`rsa.misc.location_floor`*:: + -- type: keyword -- -*`rsa.network.dns_id`*:: +*`rsa.misc.location_mark`*:: + -- type: keyword -- -*`rsa.network.dns_opcode`*:: +*`rsa.misc.log_id`*:: + -- type: keyword -- -*`rsa.network.dns_resp`*:: +*`rsa.misc.log_type`*:: + -- type: keyword -- -*`rsa.network.dns_type`*:: +*`rsa.misc.logid`*:: + -- type: keyword -- -*`rsa.network.domain1`*:: +*`rsa.misc.logip`*:: + -- type: keyword -- -*`rsa.network.host_type`*:: +*`rsa.misc.logname`*:: + -- type: keyword -- -*`rsa.network.packet_length`*:: +*`rsa.misc.longitude`*:: + -- type: keyword -- -*`rsa.network.host_orig`*:: +*`rsa.misc.lport`*:: + -- -This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - type: keyword -- -*`rsa.network.rpayload`*:: +*`rsa.misc.mbug_data`*:: + -- -This key is used to capture the total number of payload bytes seen in the retransmitted packets. - type: keyword -- -*`rsa.network.vlan_name`*:: +*`rsa.misc.misc_name`*:: + -- -This key should only be used to capture the name of the Virtual LAN - type: keyword -- - -*`rsa.investigations.ec_activity`*:: +*`rsa.misc.msg_type`*:: + -- -This key captures the particular event activity(Ex:Logoff) - type: keyword -- -*`rsa.investigations.ec_theme`*:: +*`rsa.misc.msgid`*:: + -- -This key captures the Theme of a particular Event(Ex:Authentication) - type: keyword -- -*`rsa.investigations.ec_subject`*:: +*`rsa.misc.netsessid`*:: + -- -This key captures the Subject of a particular Event(Ex:User) - type: keyword -- -*`rsa.investigations.ec_outcome`*:: +*`rsa.misc.num`*:: + -- -This key captures the outcome of a particular Event(Ex:Success) - type: keyword -- -*`rsa.investigations.event_cat`*:: +*`rsa.misc.number1`*:: + -- -This key captures the Event category number - -type: long +type: keyword -- -*`rsa.investigations.event_cat_name`*:: +*`rsa.misc.number2`*:: + -- -This key captures the event category name corresponding to the event cat code - type: keyword -- -*`rsa.investigations.event_vcat`*:: +*`rsa.misc.nwwn`*:: + -- -This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - type: keyword -- -*`rsa.investigations.analysis_file`*:: +*`rsa.misc.object`*:: + -- -This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - type: keyword -- -*`rsa.investigations.analysis_service`*:: +*`rsa.misc.operation`*:: + -- -This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - type: keyword -- -*`rsa.investigations.analysis_session`*:: +*`rsa.misc.opkt`*:: + -- -This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - type: keyword -- -*`rsa.investigations.boc`*:: +*`rsa.misc.orig_from`*:: + -- -This is used to capture behaviour of compromise - type: keyword -- -*`rsa.investigations.eoc`*:: +*`rsa.misc.owner_id`*:: + -- -This is used to capture Enablers of Compromise - type: keyword -- -*`rsa.investigations.inv_category`*:: +*`rsa.misc.p_action`*:: + -- -This used to capture investigation category - type: keyword -- -*`rsa.investigations.inv_context`*:: +*`rsa.misc.p_filter`*:: + -- -This used to capture investigation context - type: keyword -- -*`rsa.investigations.ioc`*:: +*`rsa.misc.p_group_object`*:: + -- -This is key capture indicator of compromise - type: keyword -- - -*`rsa.counters.dclass_c1`*:: +*`rsa.misc.p_id`*:: + -- -This is a generic counter key that should be used with the label dclass.c1.str only - -type: long +type: keyword -- -*`rsa.counters.dclass_c2`*:: +*`rsa.misc.p_msgid1`*:: + -- -This is a generic counter key that should be used with the label dclass.c2.str only - -type: long +type: keyword -- -*`rsa.counters.event_counter`*:: +*`rsa.misc.p_msgid2`*:: + -- -This is used to capture the number of times an event repeated - -type: long +type: keyword -- -*`rsa.counters.dclass_r1`*:: +*`rsa.misc.p_result1`*:: + -- -This is a generic ratio key that should be used with the label dclass.r1.str only - type: keyword -- -*`rsa.counters.dclass_c3`*:: +*`rsa.misc.password_chg`*:: + -- -This is a generic counter key that should be used with the label dclass.c3.str only - -type: long +type: keyword -- -*`rsa.counters.dclass_c1_str`*:: +*`rsa.misc.password_expire`*:: + -- -This is a generic counter string key that should be used with the label dclass.c1 only - type: keyword -- -*`rsa.counters.dclass_c2_str`*:: +*`rsa.misc.permgranted`*:: + -- -This is a generic counter string key that should be used with the label dclass.c2 only - type: keyword -- -*`rsa.counters.dclass_r1_str`*:: +*`rsa.misc.permwanted`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r1 only - type: keyword -- -*`rsa.counters.dclass_r2`*:: +*`rsa.misc.pgid`*:: + -- -This is a generic ratio key that should be used with the label dclass.r2.str only - type: keyword -- -*`rsa.counters.dclass_c3_str`*:: +*`rsa.misc.policyUUID`*:: + -- -This is a generic counter string key that should be used with the label dclass.c3 only - type: keyword -- -*`rsa.counters.dclass_r3`*:: +*`rsa.misc.prog_asp_num`*:: + -- -This is a generic ratio key that should be used with the label dclass.r3.str only - type: keyword -- -*`rsa.counters.dclass_r2_str`*:: +*`rsa.misc.program`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r2 only - type: keyword -- -*`rsa.counters.dclass_r3_str`*:: +*`rsa.misc.real_data`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r3 only - type: keyword -- - -*`rsa.identity.auth_method`*:: +*`rsa.misc.rec_asp_device`*:: + -- -This key is used to capture authentication methods used only - type: keyword -- -*`rsa.identity.user_role`*:: +*`rsa.misc.rec_asp_num`*:: + -- -This key is used to capture the Role of a user only - type: keyword -- -*`rsa.identity.dn`*:: +*`rsa.misc.rec_library`*:: + -- -X.500 (LDAP) Distinguished Name - type: keyword -- -*`rsa.identity.logon_type`*:: +*`rsa.misc.recordnum`*:: + -- -This key is used to capture the type of logon method used. - type: keyword -- -*`rsa.identity.profile`*:: +*`rsa.misc.ruid`*:: + -- -This key is used to capture the user profile - type: keyword -- -*`rsa.identity.accesses`*:: +*`rsa.misc.sburb`*:: + -- -This key is used to capture actual privileges used in accessing an object - type: keyword -- -*`rsa.identity.realm`*:: +*`rsa.misc.sdomain_fld`*:: + -- -Radius realm or similar grouping of accounts - type: keyword -- -*`rsa.identity.user_sid_dst`*:: +*`rsa.misc.sec`*:: + -- -This key captures Destination User Session ID - type: keyword -- -*`rsa.identity.dn_src`*:: +*`rsa.misc.sensorname`*:: + -- -An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - type: keyword -- -*`rsa.identity.org`*:: +*`rsa.misc.seqnum`*:: + -- -This key captures the User organization - type: keyword -- -*`rsa.identity.dn_dst`*:: +*`rsa.misc.session`*:: + -- -An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - type: keyword -- -*`rsa.identity.firstname`*:: +*`rsa.misc.sessiontype`*:: + -- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - type: keyword -- -*`rsa.identity.lastname`*:: +*`rsa.misc.sigUUID`*:: + -- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - type: keyword -- -*`rsa.identity.user_dept`*:: +*`rsa.misc.spi`*:: + -- -User's Department Names only - type: keyword -- -*`rsa.identity.user_sid_src`*:: +*`rsa.misc.srcburb`*:: + -- -This key captures Source User Session ID - type: keyword -- -*`rsa.identity.federated_sp`*:: +*`rsa.misc.srcdom`*:: + -- -This key is the Federated Service Provider. This is the application requesting authentication. - type: keyword -- -*`rsa.identity.federated_idp`*:: +*`rsa.misc.srcservice`*:: + -- -This key is the federated Identity Provider. This is the server providing the authentication. - type: keyword -- -*`rsa.identity.logon_type_desc`*:: +*`rsa.misc.state`*:: + -- -This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - type: keyword -- -*`rsa.identity.middlename`*:: +*`rsa.misc.status1`*:: + -- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - type: keyword -- -*`rsa.identity.password`*:: +*`rsa.misc.svcno`*:: + -- -This key is for Passwords seen in any session, plain text or encrypted - type: keyword -- -*`rsa.identity.host_role`*:: +*`rsa.misc.system`*:: + -- -This key should only be used to capture the role of a Host Machine - type: keyword -- -*`rsa.identity.ldap`*:: +*`rsa.misc.tbdstr1`*:: + -- -This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context - type: keyword -- -*`rsa.identity.ldap_query`*:: +*`rsa.misc.tgtdom`*:: + -- -This key is the Search criteria from an LDAP search - type: keyword -- -*`rsa.identity.ldap_response`*:: +*`rsa.misc.tgtdomain`*:: + -- -This key is to capture Results from an LDAP search - type: keyword -- -*`rsa.identity.owner`*:: +*`rsa.misc.threshold`*:: + -- -This is used to capture username the process or service is running as, the author of the task - type: keyword -- -*`rsa.identity.service_account`*:: +*`rsa.misc.type1`*:: + -- -This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - type: keyword -- - -*`rsa.email.email_dst`*:: +*`rsa.misc.udb_class`*:: + -- -This key is used to capture the Destination email address only, when the destination context is not clear use email - type: keyword -- -*`rsa.email.email_src`*:: +*`rsa.misc.url_fld`*:: + -- -This key is used to capture the source email address only, when the source context is not clear use email - type: keyword -- -*`rsa.email.subject`*:: +*`rsa.misc.user_div`*:: + -- -This key is used to capture the subject string from an Email only. - type: keyword -- -*`rsa.email.email`*:: +*`rsa.misc.userid`*:: + -- -This key is used to capture a generic email address where the source or destination context is not clear - type: keyword -- -*`rsa.email.trans_from`*:: +*`rsa.misc.username_fld`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.email.trans_to`*:: +*`rsa.misc.utcstamp`*:: + -- -Deprecated key defined only in table map. - type: keyword -- - -*`rsa.file.privilege`*:: +*`rsa.misc.v_instafname`*:: + -- -Deprecated, use permissions - type: keyword -- -*`rsa.file.attachment`*:: +*`rsa.misc.virt_data`*:: + -- -This key captures the attachment file name - type: keyword -- -*`rsa.file.filesystem`*:: +*`rsa.misc.vpnid`*:: + -- type: keyword -- -*`rsa.file.binary`*:: +*`rsa.misc.autorun_type`*:: + -- -Deprecated key defined only in table map. +This is used to capture Auto Run type type: keyword -- -*`rsa.file.filename_dst`*:: +*`rsa.misc.cc_number`*:: + -- -This is used to capture name of the file targeted by the action +Valid Credit Card Numbers only -type: keyword +type: long -- -*`rsa.file.filename_src`*:: +*`rsa.misc.content`*:: + -- -This is used to capture name of the parent filename, the file which performed the action +This key captures the content type from protocol headers type: keyword -- -*`rsa.file.filename_tmp`*:: +*`rsa.misc.ein_number`*:: + -- -type: keyword +Employee Identification Numbers only + +type: long -- -*`rsa.file.directory_dst`*:: +*`rsa.misc.found`*:: + -- -This key is used to capture the directory of the target process or file +This is used to capture the results of regex match type: keyword -- -*`rsa.file.directory_src`*:: +*`rsa.misc.language`*:: + -- -This key is used to capture the directory of the source process or file +This is used to capture list of languages the client support and what it prefers type: keyword -- -*`rsa.file.file_entropy`*:: +*`rsa.misc.lifetime`*:: + -- -This is used to capture entropy vale of a file +This key is used to capture the session lifetime in seconds. -type: double +type: long -- -*`rsa.file.file_vendor`*:: +*`rsa.misc.link`*:: + -- -This is used to capture Company name of file located in version_info +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.file.task_name`*:: +*`rsa.misc.match`*:: + -- -This is used to capture name of the task +This key is for regex match name from search.ini type: keyword -- - -*`rsa.web.fqdn`*:: +*`rsa.misc.param_dst`*:: + -- -Fully Qualified Domain Names +This key captures the command line/launch argument of the target process or file type: keyword -- -*`rsa.web.web_cookie`*:: +*`rsa.misc.param_src`*:: + -- -This key is used to capture the Web cookies specifically. +This key captures source parameter type: keyword -- -*`rsa.web.alias_host`*:: +*`rsa.misc.search_text`*:: + -- +This key captures the Search Text used + type: keyword -- -*`rsa.web.reputation_num`*:: +*`rsa.misc.sig_name`*:: + -- -Reputation Number of an entity. Typically used for Web Domains +This key is used to capture the Signature Name only. -type: double +type: keyword -- -*`rsa.web.web_ref_domain`*:: +*`rsa.misc.snmp_value`*:: + -- -Web referer's domain +SNMP set request value type: keyword -- -*`rsa.web.web_ref_query`*:: +*`rsa.misc.streams`*:: + -- -This key captures Web referer's query portion of the URL +This key captures number of streams in session -type: keyword +type: long -- -*`rsa.web.remote_domain`*:: + +*`rsa.db.index`*:: + -- +This key captures IndexID of the index. + type: keyword -- -*`rsa.web.web_ref_page`*:: +*`rsa.db.instance`*:: + -- -This key captures Web referer's page information +This key is used to capture the database server instance name type: keyword -- -*`rsa.web.web_ref_root`*:: +*`rsa.db.database`*:: + -- -Web referer's root URL path +This key is used to capture the name of a database or an instance as seen in a session type: keyword -- -*`rsa.web.cn_asn_dst`*:: +*`rsa.db.transact_id`*:: + -- +This key captures the SQL transantion ID of the current session + type: keyword -- -*`rsa.web.cn_rpackets`*:: +*`rsa.db.permissions`*:: + -- +This key captures permission or privilege level assigned to a resource. + type: keyword -- -*`rsa.web.urlpage`*:: +*`rsa.db.table_name`*:: + -- +This key is used to capture the table name + type: keyword -- -*`rsa.web.urlroot`*:: +*`rsa.db.db_id`*:: + -- +This key is used to capture the unique identifier for a database + type: keyword -- -*`rsa.web.p_url`*:: +*`rsa.db.db_pid`*:: + -- -type: keyword +This key captures the process id of a connection with database server + +type: long -- -*`rsa.web.p_user_agent`*:: +*`rsa.db.lread`*:: + -- -type: keyword +This key is used for the number of logical reads + +type: long -- -*`rsa.web.p_web_cookie`*:: +*`rsa.db.lwrite`*:: + -- -type: keyword +This key is used for the number of logical writes + +type: long -- -*`rsa.web.p_web_method`*:: +*`rsa.db.pread`*:: + -- -type: keyword +This key is used for the number of physical writes + +type: long -- -*`rsa.web.p_web_referer`*:: + +*`rsa.network.alias_host`*:: + -- +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + type: keyword -- -*`rsa.web.web_extension_tmp`*:: +*`rsa.network.domain`*:: + -- type: keyword -- -*`rsa.web.web_page`*:: +*`rsa.network.host_dst`*:: + -- +This key should only be used when it’s a Destination Hostname + type: keyword -- - -*`rsa.threat.threat_category`*:: +*`rsa.network.network_service`*:: + -- -This key captures Threat Name/Threat Category/Categorization of alert +This is used to capture layer 7 protocols/service names type: keyword -- -*`rsa.threat.threat_desc`*:: +*`rsa.network.interface`*:: + -- -This key is used to capture the threat description from the session directly or inferred +This key should be used when the source or destination context of an interface is not clear type: keyword -- -*`rsa.threat.alert`*:: +*`rsa.network.network_port`*:: + -- -This key is used to capture name of the alert +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) -type: keyword +type: long -- -*`rsa.threat.threat_source`*:: +*`rsa.network.eth_host`*:: + -- -This key is used to capture source of the threat +Deprecated, use alias.mac type: keyword -- - -*`rsa.crypto.crypto`*:: +*`rsa.network.sinterface`*:: + -- -This key is used to capture the Encryption Type or Encryption Key only +This key should only be used when it’s a Source Interface type: keyword -- -*`rsa.crypto.cipher_src`*:: +*`rsa.network.dinterface`*:: + -- -This key is for Source (Client) Cipher +This key should only be used when it’s a Destination Interface type: keyword -- -*`rsa.crypto.cert_subject`*:: +*`rsa.network.vlan`*:: + -- -This key is used to capture the Certificate organization only +This key should only be used to capture the ID of the Virtual LAN -type: keyword +type: long -- -*`rsa.crypto.peer`*:: +*`rsa.network.zone_src`*:: + -- -This key is for Encryption peer's IP Address +This key should only be used when it’s a Source Zone. type: keyword -- -*`rsa.crypto.cipher_size_src`*:: +*`rsa.network.zone`*:: + -- -This key captures Source (Client) Cipher Size +This key should be used when the source or destination context of a Zone is not clear -type: long +type: keyword -- -*`rsa.crypto.ike`*:: +*`rsa.network.zone_dst`*:: + -- -IKE negotiation phase. +This key should only be used when it’s a Destination Zone. type: keyword -- -*`rsa.crypto.scheme`*:: +*`rsa.network.gateway`*:: + -- -This key captures the Encryption scheme used +This key is used to capture the IP Address of the gateway type: keyword -- -*`rsa.crypto.peer_id`*:: +*`rsa.network.icmp_type`*:: + -- -This key is for Encryption peer’s identity +This key is used to capture the ICMP type only -type: keyword +type: long -- -*`rsa.crypto.sig_type`*:: +*`rsa.network.mask`*:: + -- -This key captures the Signature Type +This key is used to capture the device network IPmask. type: keyword -- -*`rsa.crypto.cert_issuer`*:: +*`rsa.network.icmp_code`*:: + -- -type: keyword +This key is used to capture the ICMP code only + +type: long -- -*`rsa.crypto.cert_host_name`*:: +*`rsa.network.protocol_detail`*:: + -- -Deprecated key defined only in table map. +This key should be used to capture additional protocol information type: keyword -- -*`rsa.crypto.cert_error`*:: +*`rsa.network.dmask`*:: + -- -This key captures the Certificate Error String +This key is used for Destionation Device network mask type: keyword -- -*`rsa.crypto.cipher_dst`*:: +*`rsa.network.port`*:: + -- -This key is for Destination (Server) Cipher +This key should only be used to capture a Network Port when the directionality is not clear -type: keyword +type: long -- -*`rsa.crypto.cipher_size_dst`*:: +*`rsa.network.smask`*:: + -- -This key captures Destination (Server) Cipher Size +This key is used for capturing source Network Mask -type: long +type: keyword -- -*`rsa.crypto.ssl_ver_src`*:: +*`rsa.network.netname`*:: + -- -Deprecated, use version +This key is used to capture the network name associated with an IP range. This is configured by the end user. type: keyword -- -*`rsa.crypto.d_certauth`*:: +*`rsa.network.paddr`*:: + -- -type: keyword +Deprecated + +type: ip -- -*`rsa.crypto.s_certauth`*:: +*`rsa.network.faddr`*:: + -- type: keyword -- -*`rsa.crypto.ike_cookie1`*:: +*`rsa.network.lhost`*:: + -- -ID of the negotiation — sent for ISAKMP Phase One - type: keyword -- -*`rsa.crypto.ike_cookie2`*:: +*`rsa.network.origin`*:: + -- -ID of the negotiation — sent for ISAKMP Phase Two - type: keyword -- -*`rsa.crypto.cert_checksum`*:: +*`rsa.network.remote_domain_id`*:: + -- type: keyword -- -*`rsa.crypto.cert_host_cat`*:: +*`rsa.network.addr`*:: + -- -This key is used for the hostname category value of a certificate - type: keyword -- -*`rsa.crypto.cert_serial`*:: +*`rsa.network.dns_a_record`*:: + -- -This key is used to capture the Certificate serial number only - type: keyword -- -*`rsa.crypto.cert_status`*:: +*`rsa.network.dns_ptr_record`*:: + -- -This key captures Certificate validation status - type: keyword -- -*`rsa.crypto.ssl_ver_dst`*:: +*`rsa.network.fhost`*:: + -- -Deprecated, use version - type: keyword -- -*`rsa.crypto.cert_keysize`*:: +*`rsa.network.fport`*:: + -- type: keyword -- -*`rsa.crypto.cert_username`*:: +*`rsa.network.laddr`*:: + -- type: keyword -- -*`rsa.crypto.https_insact`*:: +*`rsa.network.linterface`*:: + -- type: keyword -- -*`rsa.crypto.https_valid`*:: +*`rsa.network.phost`*:: + -- type: keyword -- -*`rsa.crypto.cert_ca`*:: +*`rsa.network.ad_computer_dst`*:: + -- -This key is used to capture the Certificate signing authority only +Deprecated, use host.dst type: keyword -- -*`rsa.crypto.cert_common`*:: +*`rsa.network.eth_type`*:: + -- -This key is used to capture the Certificate common name only +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only -type: keyword +type: long -- - -*`rsa.wireless.wlan_ssid`*:: +*`rsa.network.ip_proto`*:: + -- -This key is used to capture the ssid of a Wireless Session +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI -type: keyword +type: long -- -*`rsa.wireless.access_point`*:: +*`rsa.network.dns_cname_record`*:: + -- -This key is used to capture the access point name. - type: keyword -- -*`rsa.wireless.wlan_channel`*:: +*`rsa.network.dns_id`*:: + -- -This is used to capture the channel names - -type: long +type: keyword -- -*`rsa.wireless.wlan_name`*:: +*`rsa.network.dns_opcode`*:: + -- -This key captures either WLAN number/name - type: keyword -- - -*`rsa.storage.disk_volume`*:: +*`rsa.network.dns_resp`*:: + -- -A unique name assigned to logical units (volumes) within a physical disk - type: keyword -- -*`rsa.storage.lun`*:: +*`rsa.network.dns_type`*:: + -- -Logical Unit Number.This key is a very useful concept in Storage. - type: keyword -- -*`rsa.storage.pwwn`*:: +*`rsa.network.domain1`*:: + -- -This uniquely identifies a port on a HBA. - type: keyword -- - -*`rsa.physical.org_dst`*:: +*`rsa.network.host_type`*:: + -- -This is used to capture the destination organization based on the GEOPIP Maxmind database. - type: keyword -- -*`rsa.physical.org_src`*:: +*`rsa.network.packet_length`*:: + -- -This is used to capture the source organization based on the GEOPIP Maxmind database. - type: keyword -- - -*`rsa.healthcare.patient_fname`*:: +*`rsa.network.host_orig`*:: + -- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. type: keyword -- -*`rsa.healthcare.patient_id`*:: +*`rsa.network.rpayload`*:: + -- -This key captures the unique ID for a patient +This key is used to capture the total number of payload bytes seen in the retransmitted packets. type: keyword -- -*`rsa.healthcare.patient_lname`*:: +*`rsa.network.vlan_name`*:: + -- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information +This key should only be used to capture the name of the Virtual LAN type: keyword -- -*`rsa.healthcare.patient_mname`*:: + +*`rsa.investigations.ec_activity`*:: + -- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information +This key captures the particular event activity(Ex:Logoff) type: keyword -- - -*`rsa.endpoint.host_state`*:: +*`rsa.investigations.ec_theme`*:: + -- -This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on +This key captures the Theme of a particular Event(Ex:Authentication) type: keyword -- -*`rsa.endpoint.registry_key`*:: +*`rsa.investigations.ec_subject`*:: + -- -This key captures the path to the registry key +This key captures the Subject of a particular Event(Ex:User) type: keyword -- -*`rsa.endpoint.registry_value`*:: +*`rsa.investigations.ec_outcome`*:: + -- -This key captures values or decorators used within a registry entry +This key captures the outcome of a particular Event(Ex:Success) type: keyword -- -[float] -=== fortinet - -Fields from fortinet FortiOS +*`rsa.investigations.event_cat`*:: ++ +-- +This key captures the Event category number +type: long +-- -*`fortinet.file.hash.crc32`*:: +*`rsa.investigations.event_cat_name`*:: + -- -CRC32 Hash of file - +This key captures the event category name corresponding to the event cat code type: keyword -- -[float] -=== firewall - -Module for parsing Fortinet syslog. +*`rsa.investigations.event_vcat`*:: ++ +-- +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. +type: keyword +-- -*`fortinet.firewall.acct_stat`*:: +*`rsa.investigations.analysis_file`*:: + -- -Accounting state (RADIUS) - +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file type: keyword -- -*`fortinet.firewall.acktime`*:: +*`rsa.investigations.analysis_service`*:: + -- -Alarm Acknowledge Time - +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service type: keyword -- -*`fortinet.firewall.act`*:: +*`rsa.investigations.analysis_session`*:: + -- -Action - +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session type: keyword -- -*`fortinet.firewall.action`*:: +*`rsa.investigations.boc`*:: + -- -Status of the session - +This is used to capture behaviour of compromise type: keyword -- -*`fortinet.firewall.activity`*:: +*`rsa.investigations.eoc`*:: + -- -HA activity message - +This is used to capture Enablers of Compromise type: keyword -- -*`fortinet.firewall.addr`*:: +*`rsa.investigations.inv_category`*:: + -- -IP Address - +This used to capture investigation category -type: ip +type: keyword -- -*`fortinet.firewall.addr_type`*:: +*`rsa.investigations.inv_context`*:: + -- -Address Type - +This used to capture investigation context type: keyword -- -*`fortinet.firewall.addrgrp`*:: +*`rsa.investigations.ioc`*:: + -- -Address Group - +This is key capture indicator of compromise type: keyword -- -*`fortinet.firewall.adgroup`*:: + +*`rsa.counters.dclass_c1`*:: + -- -AD Group Name - +This is a generic counter key that should be used with the label dclass.c1.str only -type: keyword +type: long -- -*`fortinet.firewall.admin`*:: +*`rsa.counters.dclass_c2`*:: + -- -Admin User - +This is a generic counter key that should be used with the label dclass.c2.str only -type: keyword +type: long -- -*`fortinet.firewall.age`*:: +*`rsa.counters.event_counter`*:: + -- -Time in seconds - time passed since last seen - +This is used to capture the number of times an event repeated -type: integer +type: long -- -*`fortinet.firewall.agent`*:: +*`rsa.counters.dclass_r1`*:: + -- -User agent - eg. agent="Mozilla/5.0" - +This is a generic ratio key that should be used with the label dclass.r1.str only type: keyword -- -*`fortinet.firewall.alarmid`*:: +*`rsa.counters.dclass_c3`*:: + -- -Alarm ID - +This is a generic counter key that should be used with the label dclass.c3.str only -type: integer +type: long -- -*`fortinet.firewall.alert`*:: +*`rsa.counters.dclass_c1_str`*:: + -- -Alert - +This is a generic counter string key that should be used with the label dclass.c1 only type: keyword -- -*`fortinet.firewall.analyticscksum`*:: +*`rsa.counters.dclass_c2_str`*:: + -- -The checksum of the file submitted for analytics - +This is a generic counter string key that should be used with the label dclass.c2 only type: keyword -- -*`fortinet.firewall.analyticssubmit`*:: +*`rsa.counters.dclass_r1_str`*:: + -- -The flag for analytics submission - +This is a generic ratio string key that should be used with the label dclass.r1 only type: keyword -- -*`fortinet.firewall.ap`*:: +*`rsa.counters.dclass_r2`*:: + -- -Access Point - +This is a generic ratio key that should be used with the label dclass.r2.str only type: keyword -- -*`fortinet.firewall.app-type`*:: +*`rsa.counters.dclass_c3_str`*:: + -- -Address Type - +This is a generic counter string key that should be used with the label dclass.c3 only type: keyword -- -*`fortinet.firewall.appact`*:: +*`rsa.counters.dclass_r3`*:: + -- -The security action from app control - +This is a generic ratio key that should be used with the label dclass.r3.str only type: keyword -- -*`fortinet.firewall.appid`*:: +*`rsa.counters.dclass_r2_str`*:: + -- -Application ID - +This is a generic ratio string key that should be used with the label dclass.r2 only -type: integer +type: keyword -- -*`fortinet.firewall.applist`*:: +*`rsa.counters.dclass_r3_str`*:: + -- -Application Control profile - +This is a generic ratio string key that should be used with the label dclass.r3 only type: keyword -- -*`fortinet.firewall.apprisk`*:: + +*`rsa.identity.auth_method`*:: + -- -Application Risk Level - +This key is used to capture authentication methods used only type: keyword -- -*`fortinet.firewall.apscan`*:: +*`rsa.identity.user_role`*:: + -- -The name of the AP, which scanned and detected the rogue AP - +This key is used to capture the Role of a user only type: keyword -- -*`fortinet.firewall.apsn`*:: +*`rsa.identity.dn`*:: + -- -Access Point - +X.500 (LDAP) Distinguished Name type: keyword -- -*`fortinet.firewall.apstatus`*:: +*`rsa.identity.logon_type`*:: + -- -Access Point status - +This key is used to capture the type of logon method used. type: keyword -- -*`fortinet.firewall.aptype`*:: +*`rsa.identity.profile`*:: + -- -Access Point type - +This key is used to capture the user profile type: keyword -- -*`fortinet.firewall.assigned`*:: +*`rsa.identity.accesses`*:: + -- -Assigned IP Address - +This key is used to capture actual privileges used in accessing an object -type: ip +type: keyword -- -*`fortinet.firewall.assignip`*:: +*`rsa.identity.realm`*:: + -- -Assigned IP Address - +Radius realm or similar grouping of accounts -type: ip +type: keyword -- -*`fortinet.firewall.attachment`*:: +*`rsa.identity.user_sid_dst`*:: + -- -The flag for email attachement - +This key captures Destination User Session ID type: keyword -- -*`fortinet.firewall.attack`*:: +*`rsa.identity.dn_src`*:: + -- -Attack Name - +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn type: keyword -- -*`fortinet.firewall.attackcontext`*:: +*`rsa.identity.org`*:: + -- -The trigger patterns and the packetdata with base64 encoding - +This key captures the User organization type: keyword -- -*`fortinet.firewall.attackcontextid`*:: +*`rsa.identity.dn_dst`*:: + -- -Attack context id / total - +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn type: keyword -- -*`fortinet.firewall.attackid`*:: +*`rsa.identity.firstname`*:: + -- -Attack ID - +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information -type: integer +type: keyword -- -*`fortinet.firewall.auditid`*:: +*`rsa.identity.lastname`*:: + -- -Audit ID - +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information -type: long +type: keyword -- -*`fortinet.firewall.auditscore`*:: +*`rsa.identity.user_dept`*:: + -- -The Audit Score - +User's Department Names only type: keyword -- -*`fortinet.firewall.audittime`*:: +*`rsa.identity.user_sid_src`*:: + -- -The time of the audit - +This key captures Source User Session ID -type: long +type: keyword -- -*`fortinet.firewall.authgrp`*:: +*`rsa.identity.federated_sp`*:: + -- -Authorization Group - +This key is the Federated Service Provider. This is the application requesting authentication. type: keyword -- -*`fortinet.firewall.authid`*:: +*`rsa.identity.federated_idp`*:: + -- -Authentication ID - +This key is the federated Identity Provider. This is the server providing the authentication. type: keyword -- -*`fortinet.firewall.authproto`*:: +*`rsa.identity.logon_type_desc`*:: + -- -The protocol that initiated the authentication - +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. type: keyword -- -*`fortinet.firewall.authserver`*:: +*`rsa.identity.middlename`*:: + -- -Authentication server - +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`fortinet.firewall.bandwidth`*:: +*`rsa.identity.password`*:: + -- -Bandwidth - +This key is for Passwords seen in any session, plain text or encrypted type: keyword -- -*`fortinet.firewall.banned_rule`*:: +*`rsa.identity.host_role`*:: + -- -NAC quarantine Banned Rule Name - +This key should only be used to capture the role of a Host Machine type: keyword -- -*`fortinet.firewall.banned_src`*:: +*`rsa.identity.ldap`*:: + -- -NAC quarantine Banned Source IP - +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context type: keyword -- -*`fortinet.firewall.banword`*:: +*`rsa.identity.ldap_query`*:: + -- -Banned word - +This key is the Search criteria from an LDAP search type: keyword -- -*`fortinet.firewall.botnetdomain`*:: +*`rsa.identity.ldap_response`*:: + -- -Botnet Domain Name - +This key is to capture Results from an LDAP search type: keyword -- -*`fortinet.firewall.botnetip`*:: +*`rsa.identity.owner`*:: + -- -Botnet IP Address - +This is used to capture username the process or service is running as, the author of the task -type: ip +type: keyword -- -*`fortinet.firewall.bssid`*:: +*`rsa.identity.service_account`*:: + -- -Service Set ID - +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage type: keyword -- -*`fortinet.firewall.call_id`*:: + +*`rsa.email.email_dst`*:: + -- -Caller ID - +This key is used to capture the Destination email address only, when the destination context is not clear use email type: keyword -- -*`fortinet.firewall.carrier_ep`*:: +*`rsa.email.email_src`*:: + -- -The FortiOS Carrier end-point identification - +This key is used to capture the source email address only, when the source context is not clear use email type: keyword -- -*`fortinet.firewall.cat`*:: +*`rsa.email.subject`*:: + -- -DNS category ID - +This key is used to capture the subject string from an Email only. -type: integer +type: keyword -- -*`fortinet.firewall.category`*:: +*`rsa.email.email`*:: + -- -Authentication category - +This key is used to capture a generic email address where the source or destination context is not clear type: keyword -- -*`fortinet.firewall.cc`*:: +*`rsa.email.trans_from`*:: + -- -CC Email Address - +Deprecated key defined only in table map. type: keyword -- -*`fortinet.firewall.cdrcontent`*:: +*`rsa.email.trans_to`*:: + -- -Cdrcontent - +Deprecated key defined only in table map. type: keyword -- -*`fortinet.firewall.centralnatid`*:: + +*`rsa.file.privilege`*:: + -- -Central NAT ID - +Deprecated, use permissions -type: integer +type: keyword -- -*`fortinet.firewall.cert`*:: +*`rsa.file.attachment`*:: + -- -Certificate - +This key captures the attachment file name type: keyword -- -*`fortinet.firewall.cert-type`*:: +*`rsa.file.filesystem`*:: + -- -Certificate type - - type: keyword -- -*`fortinet.firewall.certhash`*:: +*`rsa.file.binary`*:: + -- -Certificate hash - +Deprecated key defined only in table map. type: keyword -- -*`fortinet.firewall.cfgattr`*:: +*`rsa.file.filename_dst`*:: + -- -Configuration attribute - +This is used to capture name of the file targeted by the action type: keyword -- -*`fortinet.firewall.cfgobj`*:: +*`rsa.file.filename_src`*:: + -- -Configuration object - +This is used to capture name of the parent filename, the file which performed the action type: keyword -- -*`fortinet.firewall.cfgpath`*:: +*`rsa.file.filename_tmp`*:: + -- -Configuration path - - type: keyword -- -*`fortinet.firewall.cfgtid`*:: +*`rsa.file.directory_dst`*:: + -- -Configuration transaction ID - +This key is used to capture the directory of the target process or file type: keyword -- -*`fortinet.firewall.cfgtxpower`*:: +*`rsa.file.directory_src`*:: + -- -Configuration TX power - +This key is used to capture the directory of the source process or file -type: integer +type: keyword -- -*`fortinet.firewall.channel`*:: +*`rsa.file.file_entropy`*:: + -- -Wireless Channel - +This is used to capture entropy vale of a file -type: integer +type: double -- -*`fortinet.firewall.channeltype`*:: +*`rsa.file.file_vendor`*:: + -- -SSH channel type - +This is used to capture Company name of file located in version_info type: keyword -- -*`fortinet.firewall.chassisid`*:: +*`rsa.file.task_name`*:: + -- -Chassis ID - +This is used to capture name of the task -type: integer +type: keyword -- -*`fortinet.firewall.checksum`*:: + +*`rsa.web.fqdn`*:: + -- -The checksum of the scanned file - +Fully Qualified Domain Names type: keyword -- -*`fortinet.firewall.chgheaders`*:: +*`rsa.web.web_cookie`*:: + -- -HTTP Headers - +This key is used to capture the Web cookies specifically. type: keyword -- -*`fortinet.firewall.cldobjid`*:: +*`rsa.web.alias_host`*:: + -- -Connector object ID - - type: keyword -- -*`fortinet.firewall.client_addr`*:: +*`rsa.web.reputation_num`*:: + -- -Wifi client address - +Reputation Number of an entity. Typically used for Web Domains -type: keyword +type: double -- -*`fortinet.firewall.cloudaction`*:: +*`rsa.web.web_ref_domain`*:: + -- -Cloud Action - +Web referer's domain type: keyword -- -*`fortinet.firewall.clouduser`*:: +*`rsa.web.web_ref_query`*:: + -- -Cloud User - +This key captures Web referer's query portion of the URL type: keyword -- -*`fortinet.firewall.column`*:: +*`rsa.web.remote_domain`*:: + -- -VOIP Column - - -type: integer +type: keyword -- -*`fortinet.firewall.command`*:: +*`rsa.web.web_ref_page`*:: + -- -CLI Command - +This key captures Web referer's page information type: keyword -- -*`fortinet.firewall.community`*:: +*`rsa.web.web_ref_root`*:: + -- -SNMP Community - +Web referer's root URL path type: keyword -- -*`fortinet.firewall.configcountry`*:: +*`rsa.web.cn_asn_dst`*:: + -- -Configuration country - - type: keyword -- -*`fortinet.firewall.connection_type`*:: +*`rsa.web.cn_rpackets`*:: + -- -FortiClient Connection Type - - type: keyword -- -*`fortinet.firewall.conserve`*:: +*`rsa.web.urlpage`*:: + -- -Flag for conserve mode - - type: keyword -- -*`fortinet.firewall.constraint`*:: +*`rsa.web.urlroot`*:: + -- -WAF http protocol restrictions - - type: keyword -- -*`fortinet.firewall.contentdisarmed`*:: +*`rsa.web.p_url`*:: + -- -Email scanned content - - type: keyword -- -*`fortinet.firewall.contenttype`*:: +*`rsa.web.p_user_agent`*:: + -- -Content Type from HTTP header +type: keyword +-- +*`rsa.web.p_web_cookie`*:: ++ +-- type: keyword -- -*`fortinet.firewall.cookies`*:: +*`rsa.web.p_web_method`*:: + -- -VPN Cookie +type: keyword +-- +*`rsa.web.p_web_referer`*:: ++ +-- type: keyword -- -*`fortinet.firewall.count`*:: +*`rsa.web.web_extension_tmp`*:: + -- -Counts of action type +type: keyword +-- -type: integer +*`rsa.web.web_page`*:: ++ +-- +type: keyword -- -*`fortinet.firewall.countapp`*:: + +*`rsa.threat.threat_category`*:: + -- -Number of App Ctrl logs associated with the session - +This key captures Threat Name/Threat Category/Categorization of alert -type: integer +type: keyword -- -*`fortinet.firewall.countav`*:: +*`rsa.threat.threat_desc`*:: + -- -Number of AV logs associated with the session - +This key is used to capture the threat description from the session directly or inferred -type: integer +type: keyword -- -*`fortinet.firewall.countcifs`*:: +*`rsa.threat.alert`*:: + -- -Number of CIFS logs associated with the session - +This key is used to capture name of the alert -type: integer +type: keyword -- -*`fortinet.firewall.countdlp`*:: +*`rsa.threat.threat_source`*:: + -- -Number of DLP logs associated with the session - +This key is used to capture source of the threat -type: integer +type: keyword -- -*`fortinet.firewall.countdns`*:: + +*`rsa.crypto.crypto`*:: + -- -Number of DNS logs associated with the session - +This key is used to capture the Encryption Type or Encryption Key only -type: integer +type: keyword -- -*`fortinet.firewall.countemail`*:: +*`rsa.crypto.cipher_src`*:: + -- -Number of email logs associated with the session - +This key is for Source (Client) Cipher -type: integer +type: keyword -- -*`fortinet.firewall.countff`*:: +*`rsa.crypto.cert_subject`*:: + -- -Number of ff logs associated with the session - +This key is used to capture the Certificate organization only -type: integer +type: keyword -- -*`fortinet.firewall.countips`*:: +*`rsa.crypto.peer`*:: + -- -Number of IPS logs associated with the session - +This key is for Encryption peer's IP Address -type: integer +type: keyword -- -*`fortinet.firewall.countssh`*:: +*`rsa.crypto.cipher_size_src`*:: + -- -Number of SSH logs associated with the session - +This key captures Source (Client) Cipher Size -type: integer +type: long -- -*`fortinet.firewall.countssl`*:: +*`rsa.crypto.ike`*:: + -- -Number of SSL logs associated with the session - +IKE negotiation phase. -type: integer +type: keyword -- -*`fortinet.firewall.countwaf`*:: +*`rsa.crypto.scheme`*:: + -- -Number of WAF logs associated with the session - +This key captures the Encryption scheme used -type: integer +type: keyword -- -*`fortinet.firewall.countweb`*:: +*`rsa.crypto.peer_id`*:: + -- -Number of Web filter logs associated with the session - +This key is for Encryption peer’s identity -type: integer +type: keyword -- -*`fortinet.firewall.cpu`*:: +*`rsa.crypto.sig_type`*:: + -- -CPU Usage - +This key captures the Signature Type -type: integer +type: keyword -- -*`fortinet.firewall.craction`*:: +*`rsa.crypto.cert_issuer`*:: + -- -Client Reputation Action - - -type: integer +type: keyword -- -*`fortinet.firewall.criticalcount`*:: +*`rsa.crypto.cert_host_name`*:: + -- -Number of critical ratings - +Deprecated key defined only in table map. -type: integer +type: keyword -- -*`fortinet.firewall.crl`*:: +*`rsa.crypto.cert_error`*:: + -- -Client Reputation Level - +This key captures the Certificate Error String type: keyword -- -*`fortinet.firewall.crlevel`*:: +*`rsa.crypto.cipher_dst`*:: + -- -Client Reputation Level - +This key is for Destination (Server) Cipher type: keyword -- -*`fortinet.firewall.crscore`*:: +*`rsa.crypto.cipher_size_dst`*:: + -- -Some description - +This key captures Destination (Server) Cipher Size -type: integer +type: long -- -*`fortinet.firewall.cveid`*:: +*`rsa.crypto.ssl_ver_src`*:: + -- -CVE ID - +Deprecated, use version type: keyword -- -*`fortinet.firewall.daemon`*:: +*`rsa.crypto.d_certauth`*:: + -- -Daemon name - - type: keyword -- -*`fortinet.firewall.datarange`*:: +*`rsa.crypto.s_certauth`*:: + -- -Data range for reports - - type: keyword -- -*`fortinet.firewall.date`*:: +*`rsa.crypto.ike_cookie1`*:: + -- -Date - +ID of the negotiation — sent for ISAKMP Phase One type: keyword -- -*`fortinet.firewall.ddnsserver`*:: +*`rsa.crypto.ike_cookie2`*:: + -- -DDNS server - +ID of the negotiation — sent for ISAKMP Phase Two -type: ip +type: keyword -- -*`fortinet.firewall.desc`*:: +*`rsa.crypto.cert_checksum`*:: + -- -Description - - type: keyword -- -*`fortinet.firewall.detectionmethod`*:: +*`rsa.crypto.cert_host_cat`*:: + -- -Detection method - +This key is used for the hostname category value of a certificate type: keyword -- -*`fortinet.firewall.devcategory`*:: +*`rsa.crypto.cert_serial`*:: + -- -Device category - +This key is used to capture the Certificate serial number only type: keyword -- -*`fortinet.firewall.devintfname`*:: +*`rsa.crypto.cert_status`*:: + -- -HA device Interface Name - +This key captures Certificate validation status type: keyword -- -*`fortinet.firewall.devtype`*:: +*`rsa.crypto.ssl_ver_dst`*:: + -- -Device type - +Deprecated, use version type: keyword -- -*`fortinet.firewall.dhcp_msg`*:: +*`rsa.crypto.cert_keysize`*:: + -- -DHCP Message - - type: keyword -- -*`fortinet.firewall.dintf`*:: +*`rsa.crypto.cert_username`*:: + -- -Destination interface - - type: keyword -- -*`fortinet.firewall.disk`*:: +*`rsa.crypto.https_insact`*:: + -- -Assosciated disk +type: keyword +-- +*`rsa.crypto.https_valid`*:: ++ +-- type: keyword -- -*`fortinet.firewall.disklograte`*:: +*`rsa.crypto.cert_ca`*:: + -- -Disk logging rate - +This key is used to capture the Certificate signing authority only -type: long +type: keyword -- -*`fortinet.firewall.dlpextra`*:: +*`rsa.crypto.cert_common`*:: + -- -DLP extra information - +This key is used to capture the Certificate common name only type: keyword -- -*`fortinet.firewall.docsource`*:: + +*`rsa.wireless.wlan_ssid`*:: + -- -DLP fingerprint document source - +This key is used to capture the ssid of a Wireless Session type: keyword -- -*`fortinet.firewall.domainctrlauthstate`*:: +*`rsa.wireless.access_point`*:: + -- -CIFS domain auth state - +This key is used to capture the access point name. -type: integer +type: keyword -- -*`fortinet.firewall.domainctrlauthtype`*:: +*`rsa.wireless.wlan_channel`*:: + -- -CIFS domain auth type - +This is used to capture the channel names -type: integer +type: long -- -*`fortinet.firewall.domainctrldomain`*:: +*`rsa.wireless.wlan_name`*:: + -- -CIFS domain auth domain - +This key captures either WLAN number/name type: keyword -- -*`fortinet.firewall.domainctrlip`*:: + +*`rsa.storage.disk_volume`*:: + -- -CIFS Domain IP - +A unique name assigned to logical units (volumes) within a physical disk -type: ip +type: keyword -- -*`fortinet.firewall.domainctrlname`*:: +*`rsa.storage.lun`*:: + -- -CIFS Domain name - +Logical Unit Number.This key is a very useful concept in Storage. type: keyword -- -*`fortinet.firewall.domainctrlprotocoltype`*:: +*`rsa.storage.pwwn`*:: + -- -CIFS Domain connection protocol - +This uniquely identifies a port on a HBA. -type: integer +type: keyword -- -*`fortinet.firewall.domainctrlusername`*:: + +*`rsa.physical.org_dst`*:: + -- -CIFS Domain username - +This is used to capture the destination organization based on the GEOPIP Maxmind database. type: keyword -- -*`fortinet.firewall.domainfilteridx`*:: +*`rsa.physical.org_src`*:: + -- -Domain filter ID - +This is used to capture the source organization based on the GEOPIP Maxmind database. -type: integer +type: keyword -- -*`fortinet.firewall.domainfilterlist`*:: + +*`rsa.healthcare.patient_fname`*:: + -- -Domain filter name - +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`fortinet.firewall.ds`*:: +*`rsa.healthcare.patient_id`*:: + -- -Direction with distribution system - +This key captures the unique ID for a patient type: keyword -- -*`fortinet.firewall.dst_int`*:: +*`rsa.healthcare.patient_lname`*:: + -- -Destination interface - +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`fortinet.firewall.dstintfrole`*:: +*`rsa.healthcare.patient_mname`*:: + -- -Destination interface role - +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`fortinet.firewall.dstcountry`*:: + +*`rsa.endpoint.host_state`*:: + -- -Destination country - +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on type: keyword -- -*`fortinet.firewall.dstdevcategory`*:: +*`rsa.endpoint.registry_key`*:: + -- -Destination device category - +This key captures the path to the registry key type: keyword -- -*`fortinet.firewall.dstdevtype`*:: +*`rsa.endpoint.registry_value`*:: + -- -Destination device type - +This key captures values or decorators used within a registry entry type: keyword -- -*`fortinet.firewall.dstfamily`*:: -+ --- -Destination OS family +[float] +=== fortinet +Fields from fortinet FortiOS -type: keyword --- -*`fortinet.firewall.dsthwvendor`*:: +*`fortinet.file.hash.crc32`*:: + -- -Destination HW vendor +CRC32 Hash of file type: keyword -- -*`fortinet.firewall.dsthwversion`*:: +[float] +=== firewall + +Module for parsing Fortinet syslog. + + + +*`fortinet.firewall.acct_stat`*:: + -- -Destination HW version +Accounting state (RADIUS) type: keyword -- -*`fortinet.firewall.dstinetsvc`*:: +*`fortinet.firewall.acktime`*:: + -- -Destination interface service +Alarm Acknowledge Time type: keyword -- -*`fortinet.firewall.dstosname`*:: +*`fortinet.firewall.act`*:: + -- -Destination OS name +Action type: keyword -- -*`fortinet.firewall.dstosversion`*:: +*`fortinet.firewall.action`*:: + -- -Destination OS version +Status of the session type: keyword -- -*`fortinet.firewall.dstserver`*:: +*`fortinet.firewall.activity`*:: + -- -Destination server +HA activity message -type: integer +type: keyword -- -*`fortinet.firewall.dstssid`*:: +*`fortinet.firewall.addr`*:: + -- -Destination SSID +IP Address -type: keyword +type: ip -- -*`fortinet.firewall.dstswversion`*:: +*`fortinet.firewall.addr_type`*:: + -- -Destination software version +Address Type type: keyword -- -*`fortinet.firewall.dstunauthusersource`*:: +*`fortinet.firewall.addrgrp`*:: + -- -Destination unauthenticated source +Address Group type: keyword -- -*`fortinet.firewall.dstuuid`*:: +*`fortinet.firewall.adgroup`*:: + -- -UUID of the Destination IP address +AD Group Name type: keyword -- -*`fortinet.firewall.duid`*:: +*`fortinet.firewall.admin`*:: + -- -DHCP UID +Admin User type: keyword -- -*`fortinet.firewall.eapolcnt`*:: +*`fortinet.firewall.age`*:: + -- -EAPOL packet count +Time in seconds - time passed since last seen type: integer -- -*`fortinet.firewall.eapoltype`*:: +*`fortinet.firewall.agent`*:: + -- -EAPOL packet type +User agent - eg. agent="Mozilla/5.0" type: keyword -- -*`fortinet.firewall.encrypt`*:: +*`fortinet.firewall.alarmid`*:: + -- -Whether the packet is encrypted or not +Alarm ID type: integer -- -*`fortinet.firewall.encryption`*:: +*`fortinet.firewall.alert`*:: + -- -Encryption method +Alert type: keyword -- -*`fortinet.firewall.epoch`*:: +*`fortinet.firewall.analyticscksum`*:: + -- -Epoch used for locating file +The checksum of the file submitted for analytics -type: integer +type: keyword -- -*`fortinet.firewall.espauth`*:: +*`fortinet.firewall.analyticssubmit`*:: + -- -ESP Authentication +The flag for analytics submission type: keyword -- -*`fortinet.firewall.esptransform`*:: +*`fortinet.firewall.ap`*:: + -- -ESP Transform +Access Point type: keyword -- -*`fortinet.firewall.eventtype`*:: +*`fortinet.firewall.app-type`*:: + -- -UTM Event Type +Address Type type: keyword -- -*`fortinet.firewall.exch`*:: +*`fortinet.firewall.appact`*:: + -- -Mail Exchanges from DNS response answer section +The security action from app control type: keyword -- -*`fortinet.firewall.exchange`*:: +*`fortinet.firewall.appid`*:: + -- -Mail Exchanges from DNS response answer section +Application ID -type: keyword +type: integer -- -*`fortinet.firewall.expectedsignature`*:: +*`fortinet.firewall.applist`*:: + -- -Expected SSL signature +Application Control profile type: keyword -- -*`fortinet.firewall.expiry`*:: +*`fortinet.firewall.apprisk`*:: + -- -FortiGuard override expiry timestamp +Application Risk Level type: keyword -- -*`fortinet.firewall.fams_pause`*:: +*`fortinet.firewall.apscan`*:: + -- -Fortinet Analysis and Management Service Pause +The name of the AP, which scanned and detected the rogue AP -type: integer +type: keyword -- -*`fortinet.firewall.fazlograte`*:: +*`fortinet.firewall.apsn`*:: + -- -FortiAnalyzer Logging Rate +Access Point -type: long +type: keyword -- -*`fortinet.firewall.fctemssn`*:: +*`fortinet.firewall.apstatus`*:: + -- -FortiClient Endpoint SSN +Access Point status type: keyword -- -*`fortinet.firewall.fctuid`*:: +*`fortinet.firewall.aptype`*:: + -- -FortiClient UID +Access Point type type: keyword -- -*`fortinet.firewall.field`*:: +*`fortinet.firewall.assigned`*:: + -- -NTP status field +Assigned IP Address -type: keyword +type: ip -- -*`fortinet.firewall.filefilter`*:: +*`fortinet.firewall.assignip`*:: + -- -The filter used to identify the affected file +Assigned IP Address -type: keyword +type: ip -- -*`fortinet.firewall.filehashsrc`*:: +*`fortinet.firewall.attachment`*:: + -- -Filehash source +The flag for email attachement type: keyword -- -*`fortinet.firewall.filtercat`*:: +*`fortinet.firewall.attack`*:: + -- -DLP filter category +Attack Name type: keyword -- -*`fortinet.firewall.filteridx`*:: +*`fortinet.firewall.attackcontext`*:: + -- -DLP filter ID +The trigger patterns and the packetdata with base64 encoding -type: integer +type: keyword -- -*`fortinet.firewall.filtername`*:: +*`fortinet.firewall.attackcontextid`*:: + -- -DLP rule name +Attack context id / total type: keyword -- -*`fortinet.firewall.filtertype`*:: +*`fortinet.firewall.attackid`*:: + -- -DLP filter type +Attack ID -type: keyword +type: integer -- -*`fortinet.firewall.fortiguardresp`*:: +*`fortinet.firewall.auditid`*:: + -- -Antispam ESP value +Audit ID -type: keyword +type: long -- -*`fortinet.firewall.forwardedfor`*:: +*`fortinet.firewall.auditscore`*:: + -- -Email address forwarded +The Audit Score type: keyword -- -*`fortinet.firewall.fqdn`*:: +*`fortinet.firewall.audittime`*:: + -- -FQDN +The time of the audit + + +type: long + +-- + +*`fortinet.firewall.authgrp`*:: ++ +-- +Authorization Group type: keyword -- -*`fortinet.firewall.frametype`*:: +*`fortinet.firewall.authid`*:: + -- -Wireless frametype +Authentication ID type: keyword -- -*`fortinet.firewall.freediskstorage`*:: +*`fortinet.firewall.authproto`*:: + -- -Free disk integer +The protocol that initiated the authentication -type: integer +type: keyword -- -*`fortinet.firewall.from`*:: +*`fortinet.firewall.authserver`*:: + -- -From email address +Authentication server type: keyword -- -*`fortinet.firewall.from_vcluster`*:: +*`fortinet.firewall.bandwidth`*:: + -- -Source virtual cluster number +Bandwidth -type: integer +type: keyword -- -*`fortinet.firewall.fsaverdict`*:: +*`fortinet.firewall.banned_rule`*:: + -- -FSA verdict +NAC quarantine Banned Rule Name type: keyword -- -*`fortinet.firewall.fwserver_name`*:: +*`fortinet.firewall.banned_src`*:: + -- -Web proxy server name +NAC quarantine Banned Source IP type: keyword -- -*`fortinet.firewall.gateway`*:: +*`fortinet.firewall.banword`*:: + -- -Gateway ip address for PPPoE status report +Banned word -type: ip +type: keyword -- -*`fortinet.firewall.green`*:: +*`fortinet.firewall.botnetdomain`*:: + -- -Memory status +Botnet Domain Name type: keyword -- -*`fortinet.firewall.groupid`*:: +*`fortinet.firewall.botnetip`*:: + -- -User Group ID +Botnet IP Address -type: integer +type: ip -- -*`fortinet.firewall.ha-prio`*:: +*`fortinet.firewall.bssid`*:: + -- -HA Priority +Service Set ID -type: integer +type: keyword -- -*`fortinet.firewall.ha_group`*:: +*`fortinet.firewall.call_id`*:: + -- -HA Group +Caller ID type: keyword -- -*`fortinet.firewall.ha_role`*:: +*`fortinet.firewall.carrier_ep`*:: + -- -HA Role +The FortiOS Carrier end-point identification type: keyword -- -*`fortinet.firewall.handshake`*:: +*`fortinet.firewall.cat`*:: + -- -SSL Handshake +DNS category ID -type: keyword +type: integer -- -*`fortinet.firewall.hash`*:: +*`fortinet.firewall.category`*:: + -- -Hash value of downloaded file +Authentication category type: keyword -- -*`fortinet.firewall.hbdn_reason`*:: +*`fortinet.firewall.cc`*:: + -- -Heartbeat down reason +CC Email Address type: keyword -- -*`fortinet.firewall.highcount`*:: +*`fortinet.firewall.cdrcontent`*:: + -- -Highcount fabric summary +Cdrcontent -type: integer +type: keyword -- -*`fortinet.firewall.host`*:: +*`fortinet.firewall.centralnatid`*:: + -- -Hostname +Central NAT ID -type: keyword +type: integer -- -*`fortinet.firewall.iaid`*:: +*`fortinet.firewall.cert`*:: + -- -DHCPv6 id +Certificate type: keyword -- -*`fortinet.firewall.icmpcode`*:: +*`fortinet.firewall.cert-type`*:: + -- -Destination Port of the ICMP message +Certificate type type: keyword -- -*`fortinet.firewall.icmpid`*:: +*`fortinet.firewall.certhash`*:: + -- -Source port of the ICMP message +Certificate hash type: keyword -- -*`fortinet.firewall.icmptype`*:: +*`fortinet.firewall.cfgattr`*:: + -- -The type of ICMP message +Configuration attribute type: keyword -- -*`fortinet.firewall.identifier`*:: +*`fortinet.firewall.cfgobj`*:: + -- -Network traffic identifier +Configuration object -type: integer +type: keyword -- -*`fortinet.firewall.in_spi`*:: +*`fortinet.firewall.cfgpath`*:: + -- -IPSEC inbound SPI +Configuration path type: keyword -- -*`fortinet.firewall.incidentserialno`*:: +*`fortinet.firewall.cfgtid`*:: + -- -Incident serial number +Configuration transaction ID -type: integer +type: keyword -- -*`fortinet.firewall.infected`*:: +*`fortinet.firewall.cfgtxpower`*:: + -- -Infected MMS +Configuration TX power type: integer -- -*`fortinet.firewall.infectedfilelevel`*:: +*`fortinet.firewall.channel`*:: + -- -DLP infected file level +Wireless Channel type: integer -- -*`fortinet.firewall.informationsource`*:: +*`fortinet.firewall.channeltype`*:: + -- -Information source +SSH channel type type: keyword -- -*`fortinet.firewall.init`*:: +*`fortinet.firewall.chassisid`*:: + -- -IPSEC init stage +Chassis ID -type: keyword +type: integer -- -*`fortinet.firewall.initiator`*:: +*`fortinet.firewall.checksum`*:: + -- -Original login user name for Fortiguard override +The checksum of the scanned file type: keyword -- -*`fortinet.firewall.interface`*:: +*`fortinet.firewall.chgheaders`*:: + -- -Related interface +HTTP Headers type: keyword -- -*`fortinet.firewall.intf`*:: +*`fortinet.firewall.cldobjid`*:: + -- -Related interface +Connector object ID type: keyword -- -*`fortinet.firewall.invalidmac`*:: +*`fortinet.firewall.client_addr`*:: + -- -The MAC address with invalid OUI +Wifi client address type: keyword -- -*`fortinet.firewall.ip`*:: +*`fortinet.firewall.cloudaction`*:: + -- -Related IP +Cloud Action -type: ip +type: keyword -- -*`fortinet.firewall.iptype`*:: +*`fortinet.firewall.clouduser`*:: + -- -Related IP type +Cloud User type: keyword -- -*`fortinet.firewall.keyword`*:: +*`fortinet.firewall.column`*:: + -- -Keyword used for search +VOIP Column -type: keyword +type: integer -- -*`fortinet.firewall.kind`*:: +*`fortinet.firewall.command`*:: + -- -VOIP kind +CLI Command type: keyword -- -*`fortinet.firewall.lanin`*:: +*`fortinet.firewall.community`*:: + -- -LAN incoming traffic in bytes +SNMP Community -type: long +type: keyword -- -*`fortinet.firewall.lanout`*:: +*`fortinet.firewall.configcountry`*:: + -- -LAN outbound traffic in bytes +Configuration country -type: long +type: keyword -- -*`fortinet.firewall.lease`*:: +*`fortinet.firewall.connection_type`*:: + -- -DHCP lease +FortiClient Connection Type -type: integer +type: keyword -- -*`fortinet.firewall.license_limit`*:: +*`fortinet.firewall.conserve`*:: + -- -Maximum Number of FortiClients for the License +Flag for conserve mode type: keyword -- -*`fortinet.firewall.limit`*:: +*`fortinet.firewall.constraint`*:: + -- -Virtual Domain Resource Limit +WAF http protocol restrictions -type: integer +type: keyword -- -*`fortinet.firewall.line`*:: +*`fortinet.firewall.contentdisarmed`*:: + -- -VOIP line +Email scanned content type: keyword -- -*`fortinet.firewall.live`*:: +*`fortinet.firewall.contenttype`*:: + -- -Time in seconds +Content Type from HTTP header -type: integer +type: keyword -- -*`fortinet.firewall.local`*:: +*`fortinet.firewall.cookies`*:: + -- -Local IP for a PPPD Connection +VPN Cookie -type: ip +type: keyword -- -*`fortinet.firewall.log`*:: +*`fortinet.firewall.count`*:: + -- -Log message +Counts of action type -type: keyword +type: integer -- -*`fortinet.firewall.login`*:: +*`fortinet.firewall.countapp`*:: + -- -SSH login +Number of App Ctrl logs associated with the session -type: keyword +type: integer -- -*`fortinet.firewall.lowcount`*:: +*`fortinet.firewall.countav`*:: + -- -Fabric lowcount +Number of AV logs associated with the session type: integer -- -*`fortinet.firewall.mac`*:: +*`fortinet.firewall.countcifs`*:: + -- -DHCP mac address +Number of CIFS logs associated with the session -type: keyword +type: integer -- -*`fortinet.firewall.malform_data`*:: +*`fortinet.firewall.countdlp`*:: + -- -VOIP malformed data +Number of DLP logs associated with the session type: integer -- -*`fortinet.firewall.malform_desc`*:: +*`fortinet.firewall.countdns`*:: + -- -VOIP malformed data description +Number of DNS logs associated with the session -type: keyword +type: integer -- -*`fortinet.firewall.manuf`*:: +*`fortinet.firewall.countemail`*:: + -- -Manufacturer name +Number of email logs associated with the session -type: keyword +type: integer -- -*`fortinet.firewall.masterdstmac`*:: +*`fortinet.firewall.countff`*:: + -- -Master mac address for a host with multiple network interfaces +Number of ff logs associated with the session -type: keyword +type: integer -- -*`fortinet.firewall.mastersrcmac`*:: +*`fortinet.firewall.countips`*:: + -- -The master MAC address for a host that has multiple network interfaces +Number of IPS logs associated with the session -type: keyword +type: integer -- -*`fortinet.firewall.mediumcount`*:: +*`fortinet.firewall.countssh`*:: + -- -Fabric medium count +Number of SSH logs associated with the session type: integer -- -*`fortinet.firewall.mem`*:: +*`fortinet.firewall.countssl`*:: + -- -Memory usage system statistics +Number of SSL logs associated with the session type: integer -- -*`fortinet.firewall.meshmode`*:: +*`fortinet.firewall.countwaf`*:: + -- -Wireless mesh mode +Number of WAF logs associated with the session -type: keyword +type: integer -- -*`fortinet.firewall.message_type`*:: +*`fortinet.firewall.countweb`*:: + -- -VOIP message type +Number of Web filter logs associated with the session -type: keyword +type: integer -- -*`fortinet.firewall.method`*:: +*`fortinet.firewall.cpu`*:: + -- -HTTP method +CPU Usage -type: keyword +type: integer -- -*`fortinet.firewall.mgmtcnt`*:: +*`fortinet.firewall.craction`*:: + -- -The number of unauthorized client flooding managemet frames +Client Reputation Action type: integer -- -*`fortinet.firewall.mode`*:: +*`fortinet.firewall.criticalcount`*:: + -- -IPSEC mode +Number of critical ratings -type: keyword +type: integer -- -*`fortinet.firewall.module`*:: +*`fortinet.firewall.crl`*:: + -- -PCI-DSS module +Client Reputation Level type: keyword -- -*`fortinet.firewall.monitor-name`*:: +*`fortinet.firewall.crlevel`*:: + -- -Health Monitor Name +Client Reputation Level type: keyword -- -*`fortinet.firewall.monitor-type`*:: +*`fortinet.firewall.crscore`*:: + -- -Health Monitor Type +Some description -type: keyword +type: integer -- -*`fortinet.firewall.mpsk`*:: +*`fortinet.firewall.cveid`*:: + -- -Wireless MPSK +CVE ID type: keyword -- -*`fortinet.firewall.msgproto`*:: +*`fortinet.firewall.daemon`*:: + -- -Message Protocol Number +Daemon name type: keyword -- -*`fortinet.firewall.mtu`*:: +*`fortinet.firewall.datarange`*:: + -- -Max Transmission Unit Value +Data range for reports -type: integer +type: keyword -- -*`fortinet.firewall.name`*:: +*`fortinet.firewall.date`*:: + -- -Name +Date type: keyword -- -*`fortinet.firewall.nat`*:: +*`fortinet.firewall.ddnsserver`*:: + -- -NAT IP Address +DDNS server -type: keyword +type: ip -- -*`fortinet.firewall.netid`*:: +*`fortinet.firewall.desc`*:: + -- -Connector NetID +Description type: keyword -- -*`fortinet.firewall.new_status`*:: +*`fortinet.firewall.detectionmethod`*:: + -- -New status on user change +Detection method type: keyword -- -*`fortinet.firewall.new_value`*:: +*`fortinet.firewall.devcategory`*:: + -- -New Virtual Domain Name +Device category type: keyword -- -*`fortinet.firewall.newchannel`*:: +*`fortinet.firewall.devintfname`*:: + -- -New Channel Number +HA device Interface Name -type: integer +type: keyword -- -*`fortinet.firewall.newchassisid`*:: +*`fortinet.firewall.devtype`*:: + -- -New Chassis ID +Device type -type: integer +type: keyword -- -*`fortinet.firewall.newslot`*:: +*`fortinet.firewall.dhcp_msg`*:: + -- -New Slot Number +DHCP Message -type: integer +type: keyword -- -*`fortinet.firewall.nextstat`*:: +*`fortinet.firewall.dintf`*:: + -- -Time interval in seconds for the next statistics. +Destination interface -type: integer +type: keyword -- -*`fortinet.firewall.nf_type`*:: +*`fortinet.firewall.disk`*:: + -- -Notification Type +Assosciated disk type: keyword -- -*`fortinet.firewall.noise`*:: +*`fortinet.firewall.disklograte`*:: + -- -Wifi Noise +Disk logging rate -type: integer +type: long -- -*`fortinet.firewall.old_status`*:: +*`fortinet.firewall.dlpextra`*:: + -- -Original Status +DLP extra information type: keyword -- -*`fortinet.firewall.old_value`*:: +*`fortinet.firewall.docsource`*:: + -- -Original Virtual Domain name +DLP fingerprint document source type: keyword -- -*`fortinet.firewall.oldchannel`*:: +*`fortinet.firewall.domainctrlauthstate`*:: + -- -Original channel +CIFS domain auth state type: integer -- -*`fortinet.firewall.oldchassisid`*:: +*`fortinet.firewall.domainctrlauthtype`*:: + -- -Original Chassis Number +CIFS domain auth type type: integer -- -*`fortinet.firewall.oldslot`*:: +*`fortinet.firewall.domainctrldomain`*:: + -- -Original Slot Number +CIFS domain auth domain -type: integer +type: keyword -- -*`fortinet.firewall.oldsn`*:: +*`fortinet.firewall.domainctrlip`*:: + -- -Old Serial number +CIFS Domain IP -type: keyword +type: ip -- -*`fortinet.firewall.oldwprof`*:: +*`fortinet.firewall.domainctrlname`*:: + -- -Old Web Filter Profile +CIFS Domain name type: keyword -- -*`fortinet.firewall.onwire`*:: +*`fortinet.firewall.domainctrlprotocoltype`*:: + -- -A flag to indicate if the AP is onwire or not +CIFS Domain connection protocol -type: keyword +type: integer -- -*`fortinet.firewall.opercountry`*:: +*`fortinet.firewall.domainctrlusername`*:: + -- -Operating Country +CIFS Domain username type: keyword -- -*`fortinet.firewall.opertxpower`*:: +*`fortinet.firewall.domainfilteridx`*:: + -- -Operating TX power +Domain filter ID type: integer -- -*`fortinet.firewall.osname`*:: +*`fortinet.firewall.domainfilterlist`*:: + -- -Operating System name +Domain filter name type: keyword -- -*`fortinet.firewall.osversion`*:: +*`fortinet.firewall.ds`*:: + -- -Operating System version +Direction with distribution system type: keyword -- -*`fortinet.firewall.out_spi`*:: +*`fortinet.firewall.dst_int`*:: + -- -Out SPI +Destination interface type: keyword -- -*`fortinet.firewall.outintf`*:: +*`fortinet.firewall.dstintfrole`*:: + -- -Out interface +Destination interface role type: keyword -- -*`fortinet.firewall.passedcount`*:: -+ --- -Fabric passed count - - -type: integer - --- - -*`fortinet.firewall.passwd`*:: +*`fortinet.firewall.dstcountry`*:: + -- -Changed user password information +Destination country type: keyword -- -*`fortinet.firewall.path`*:: +*`fortinet.firewall.dstdevcategory`*:: + -- -Path of looped configuration for security fabric +Destination device category type: keyword -- -*`fortinet.firewall.peer`*:: +*`fortinet.firewall.dstdevtype`*:: + -- -WAN optimization peer +Destination device type type: keyword -- -*`fortinet.firewall.peer_notif`*:: +*`fortinet.firewall.dstfamily`*:: + -- -VPN peer notification +Destination OS family type: keyword -- -*`fortinet.firewall.phase2_name`*:: +*`fortinet.firewall.dsthwvendor`*:: + -- -VPN phase2 name +Destination HW vendor type: keyword -- -*`fortinet.firewall.phone`*:: +*`fortinet.firewall.dsthwversion`*:: + -- -VOIP Phone +Destination HW version type: keyword -- -*`fortinet.firewall.pid`*:: +*`fortinet.firewall.dstinetsvc`*:: + -- -Process ID +Destination interface service -type: integer +type: keyword -- -*`fortinet.firewall.policytype`*:: +*`fortinet.firewall.dstosname`*:: + -- -Policy Type +Destination OS name type: keyword -- -*`fortinet.firewall.poolname`*:: +*`fortinet.firewall.dstosversion`*:: + -- -IP Pool name +Destination OS version type: keyword -- -*`fortinet.firewall.port`*:: +*`fortinet.firewall.dstserver`*:: + -- -Log upload error port +Destination server type: integer -- -*`fortinet.firewall.portbegin`*:: +*`fortinet.firewall.dstssid`*:: + -- -IP Pool port number to begin +Destination SSID -type: integer +type: keyword -- -*`fortinet.firewall.portend`*:: +*`fortinet.firewall.dstswversion`*:: + -- -IP Pool port number to end +Destination software version -type: integer +type: keyword -- -*`fortinet.firewall.probeproto`*:: +*`fortinet.firewall.dstunauthusersource`*:: + -- -Link Monitor Probe Protocol +Destination unauthenticated source type: keyword -- -*`fortinet.firewall.process`*:: +*`fortinet.firewall.dstuuid`*:: + -- -URL Filter process +UUID of the Destination IP address type: keyword -- -*`fortinet.firewall.processtime`*:: +*`fortinet.firewall.duid`*:: + -- -Process time for reports +DHCP UID -type: integer +type: keyword -- -*`fortinet.firewall.profile`*:: +*`fortinet.firewall.eapolcnt`*:: + -- -Profile Name +EAPOL packet count -type: keyword +type: integer -- -*`fortinet.firewall.profile_vd`*:: +*`fortinet.firewall.eapoltype`*:: + -- -Virtual Domain Name +EAPOL packet type type: keyword -- -*`fortinet.firewall.profilegroup`*:: +*`fortinet.firewall.encrypt`*:: + -- -Profile Group Name +Whether the packet is encrypted or not -type: keyword +type: integer -- -*`fortinet.firewall.profiletype`*:: +*`fortinet.firewall.encryption`*:: + -- -Profile Type +Encryption method type: keyword -- -*`fortinet.firewall.qtypeval`*:: +*`fortinet.firewall.epoch`*:: + -- -DNS question type value +Epoch used for locating file type: integer -- -*`fortinet.firewall.quarskip`*:: +*`fortinet.firewall.espauth`*:: + -- -Quarantine skip explanation +ESP Authentication type: keyword -- -*`fortinet.firewall.quotaexceeded`*:: +*`fortinet.firewall.esptransform`*:: + -- -If quota has been exceeded +ESP Transform type: keyword -- -*`fortinet.firewall.quotamax`*:: +*`fortinet.firewall.eventtype`*:: + -- -Maximum quota allowed - in seconds if time-based - in bytes if traffic-based +UTM Event Type -type: long +type: keyword -- -*`fortinet.firewall.quotatype`*:: +*`fortinet.firewall.exch`*:: + -- -Quota type +Mail Exchanges from DNS response answer section type: keyword -- -*`fortinet.firewall.quotaused`*:: +*`fortinet.firewall.exchange`*:: + -- -Quota used - in seconds if time-based - in bytes if trafficbased) +Mail Exchanges from DNS response answer section -type: long +type: keyword -- -*`fortinet.firewall.radioband`*:: +*`fortinet.firewall.expectedsignature`*:: + -- -Radio band +Expected SSL signature type: keyword -- -*`fortinet.firewall.radioid`*:: +*`fortinet.firewall.expiry`*:: + -- -Radio ID +FortiGuard override expiry timestamp -type: integer +type: keyword -- -*`fortinet.firewall.radioidclosest`*:: +*`fortinet.firewall.fams_pause`*:: + -- -Radio ID on the AP closest the rogue AP +Fortinet Analysis and Management Service Pause type: integer -- -*`fortinet.firewall.radioiddetected`*:: +*`fortinet.firewall.fazlograte`*:: + -- -Radio ID on the AP which detected the rogue AP +FortiAnalyzer Logging Rate -type: integer +type: long -- -*`fortinet.firewall.rate`*:: +*`fortinet.firewall.fctemssn`*:: + -- -Wireless rogue rate value +FortiClient Endpoint SSN type: keyword -- -*`fortinet.firewall.rawdata`*:: +*`fortinet.firewall.fctuid`*:: + -- -Raw data value +FortiClient UID type: keyword -- -*`fortinet.firewall.rawdataid`*:: +*`fortinet.firewall.field`*:: + -- -Raw data ID +NTP status field type: keyword -- -*`fortinet.firewall.rcvddelta`*:: +*`fortinet.firewall.filefilter`*:: + -- -Received bytes delta +The filter used to identify the affected file type: keyword -- -*`fortinet.firewall.reason`*:: +*`fortinet.firewall.filehashsrc`*:: + -- -Alert reason +Filehash source type: keyword -- -*`fortinet.firewall.received`*:: +*`fortinet.firewall.filtercat`*:: + -- -Server key exchange received +DLP filter category -type: integer +type: keyword -- -*`fortinet.firewall.receivedsignature`*:: +*`fortinet.firewall.filteridx`*:: + -- -Server key exchange received signature +DLP filter ID -type: keyword +type: integer -- -*`fortinet.firewall.red`*:: +*`fortinet.firewall.filtername`*:: + -- -Memory information in red +DLP rule name type: keyword -- -*`fortinet.firewall.referralurl`*:: +*`fortinet.firewall.filtertype`*:: + -- -Web filter referralurl +DLP filter type type: keyword -- -*`fortinet.firewall.remote`*:: +*`fortinet.firewall.fortiguardresp`*:: + -- -Remote PPP IP address +Antispam ESP value -type: ip +type: keyword -- -*`fortinet.firewall.remotewtptime`*:: +*`fortinet.firewall.forwardedfor`*:: + -- -Remote Wifi Radius authentication time +Email address forwarded type: keyword -- -*`fortinet.firewall.reporttype`*:: +*`fortinet.firewall.fqdn`*:: + -- -Report type +FQDN type: keyword -- -*`fortinet.firewall.reqtype`*:: +*`fortinet.firewall.frametype`*:: + -- -Request type +Wireless frametype type: keyword -- -*`fortinet.firewall.request_name`*:: +*`fortinet.firewall.freediskstorage`*:: + -- -VOIP request name +Free disk integer -type: keyword +type: integer -- -*`fortinet.firewall.result`*:: +*`fortinet.firewall.from`*:: + -- -VPN phase result +From email address type: keyword -- -*`fortinet.firewall.role`*:: +*`fortinet.firewall.from_vcluster`*:: + -- -VPN Phase 2 role +Source virtual cluster number -type: keyword +type: integer -- -*`fortinet.firewall.rssi`*:: +*`fortinet.firewall.fsaverdict`*:: + -- -Received signal strength indicator +FSA verdict -type: integer +type: keyword -- -*`fortinet.firewall.rsso_key`*:: +*`fortinet.firewall.fwserver_name`*:: + -- -RADIUS SSO attribute value +Web proxy server name type: keyword -- -*`fortinet.firewall.ruledata`*:: +*`fortinet.firewall.gateway`*:: + -- -Rule data +Gateway ip address for PPPoE status report -type: keyword +type: ip -- -*`fortinet.firewall.ruletype`*:: +*`fortinet.firewall.green`*:: + -- -Rule type +Memory status type: keyword -- -*`fortinet.firewall.scanned`*:: +*`fortinet.firewall.groupid`*:: + -- -Number of Scanned MMSs +User Group ID type: integer -- -*`fortinet.firewall.scantime`*:: +*`fortinet.firewall.ha-prio`*:: + -- -Scanned time +HA Priority -type: long +type: integer -- -*`fortinet.firewall.scope`*:: +*`fortinet.firewall.ha_group`*:: + -- -FortiGuard Override Scope +HA Group type: keyword -- -*`fortinet.firewall.security`*:: +*`fortinet.firewall.ha_role`*:: + -- -Wireless rogue security +HA Role type: keyword -- -*`fortinet.firewall.sensitivity`*:: +*`fortinet.firewall.handshake`*:: + -- -Sensitivity for document fingerprint +SSL Handshake type: keyword -- -*`fortinet.firewall.sensor`*:: +*`fortinet.firewall.hash`*:: + -- -NAC Sensor Name +Hash value of downloaded file type: keyword -- -*`fortinet.firewall.sentdelta`*:: +*`fortinet.firewall.hbdn_reason`*:: + -- -Sent bytes delta +Heartbeat down reason type: keyword -- -*`fortinet.firewall.seq`*:: +*`fortinet.firewall.highcount`*:: + -- -Sequence number +Highcount fabric summary -type: keyword +type: integer -- -*`fortinet.firewall.serial`*:: +*`fortinet.firewall.host`*:: + -- -WAN optimisation serial +Hostname type: keyword -- -*`fortinet.firewall.serialno`*:: +*`fortinet.firewall.iaid`*:: + -- -Serial number +DHCPv6 id type: keyword -- -*`fortinet.firewall.server`*:: +*`fortinet.firewall.icmpcode`*:: + -- -AD server FQDN or IP +Destination Port of the ICMP message type: keyword -- -*`fortinet.firewall.session_id`*:: +*`fortinet.firewall.icmpid`*:: + -- -Session ID +Source port of the ICMP message type: keyword -- -*`fortinet.firewall.sessionid`*:: +*`fortinet.firewall.icmptype`*:: + -- -WAD Session ID +The type of ICMP message -type: integer +type: keyword -- -*`fortinet.firewall.setuprate`*:: +*`fortinet.firewall.identifier`*:: + -- -Session Setup Rate +Network traffic identifier -type: long +type: integer -- -*`fortinet.firewall.severity`*:: +*`fortinet.firewall.in_spi`*:: + -- -Severity +IPSEC inbound SPI type: keyword -- -*`fortinet.firewall.shaperdroprcvdbyte`*:: +*`fortinet.firewall.incidentserialno`*:: + -- -Received bytes dropped by shaper +Incident serial number type: integer -- -*`fortinet.firewall.shaperdropsentbyte`*:: +*`fortinet.firewall.infected`*:: + -- -Sent bytes dropped by shaper +Infected MMS type: integer -- -*`fortinet.firewall.shaperperipdropbyte`*:: +*`fortinet.firewall.infectedfilelevel`*:: + -- -Dropped bytes per IP by shaper +DLP infected file level type: integer -- -*`fortinet.firewall.shaperperipname`*:: +*`fortinet.firewall.informationsource`*:: + -- -Traffic shaper name (per IP) +Information source type: keyword -- -*`fortinet.firewall.shaperrcvdname`*:: +*`fortinet.firewall.init`*:: + -- -Traffic shaper name for received traffic +IPSEC init stage type: keyword -- -*`fortinet.firewall.shapersentname`*:: +*`fortinet.firewall.initiator`*:: + -- -Traffic shaper name for sent traffic +Original login user name for Fortiguard override type: keyword -- -*`fortinet.firewall.shapingpolicyid`*:: +*`fortinet.firewall.interface`*:: + -- -Traffic shaper policy ID +Related interface -type: integer +type: keyword -- -*`fortinet.firewall.signal`*:: +*`fortinet.firewall.intf`*:: + -- -Wireless rogue API signal +Related interface -type: integer +type: keyword -- -*`fortinet.firewall.size`*:: +*`fortinet.firewall.invalidmac`*:: + -- -Email size in bytes +The MAC address with invalid OUI -type: long +type: keyword -- -*`fortinet.firewall.slot`*:: +*`fortinet.firewall.ip`*:: + -- -Slot number +Related IP -type: integer +type: ip -- -*`fortinet.firewall.sn`*:: +*`fortinet.firewall.iptype`*:: + -- -Security fabric serial number +Related IP type type: keyword -- -*`fortinet.firewall.snclosest`*:: +*`fortinet.firewall.keyword`*:: + -- -SN of the AP closest to the rogue AP +Keyword used for search type: keyword -- -*`fortinet.firewall.sndetected`*:: +*`fortinet.firewall.kind`*:: + -- -SN of the AP which detected the rogue AP +VOIP kind type: keyword -- -*`fortinet.firewall.snmeshparent`*:: +*`fortinet.firewall.lanin`*:: + -- -SN of the mesh parent +LAN incoming traffic in bytes -type: keyword +type: long -- -*`fortinet.firewall.spi`*:: +*`fortinet.firewall.lanout`*:: + -- -IPSEC SPI +LAN outbound traffic in bytes -type: keyword +type: long -- -*`fortinet.firewall.src_int`*:: +*`fortinet.firewall.lease`*:: + -- -Source interface +DHCP lease -type: keyword +type: integer -- -*`fortinet.firewall.srcintfrole`*:: +*`fortinet.firewall.license_limit`*:: + -- -Source interface role +Maximum Number of FortiClients for the License type: keyword -- -*`fortinet.firewall.srccountry`*:: +*`fortinet.firewall.limit`*:: + -- -Source country +Virtual Domain Resource Limit -type: keyword +type: integer -- -*`fortinet.firewall.srcfamily`*:: +*`fortinet.firewall.line`*:: + -- -Source family +VOIP line type: keyword -- -*`fortinet.firewall.srchwvendor`*:: +*`fortinet.firewall.live`*:: + -- -Source hardware vendor +Time in seconds -type: keyword +type: integer -- -*`fortinet.firewall.srchwversion`*:: +*`fortinet.firewall.local`*:: + -- -Source hardware version +Local IP for a PPPD Connection -type: keyword +type: ip -- -*`fortinet.firewall.srcinetsvc`*:: +*`fortinet.firewall.log`*:: + -- -Source interface service +Log message type: keyword -- -*`fortinet.firewall.srcname`*:: +*`fortinet.firewall.login`*:: + -- -Source name +SSH login type: keyword -- -*`fortinet.firewall.srcserver`*:: +*`fortinet.firewall.lowcount`*:: + -- -Source server +Fabric lowcount type: integer -- -*`fortinet.firewall.srcssid`*:: +*`fortinet.firewall.mac`*:: + -- -Source SSID +DHCP mac address type: keyword -- -*`fortinet.firewall.srcswversion`*:: +*`fortinet.firewall.malform_data`*:: + -- -Source software version +VOIP malformed data -type: keyword +type: integer -- -*`fortinet.firewall.srcuuid`*:: +*`fortinet.firewall.malform_desc`*:: + -- -Source UUID +VOIP malformed data description type: keyword -- -*`fortinet.firewall.sscname`*:: +*`fortinet.firewall.manuf`*:: + -- -SSC name +Manufacturer name type: keyword -- -*`fortinet.firewall.ssid`*:: +*`fortinet.firewall.masterdstmac`*:: + -- -Base Service Set ID +Master mac address for a host with multiple network interfaces type: keyword -- -*`fortinet.firewall.sslaction`*:: +*`fortinet.firewall.mastersrcmac`*:: + -- -SSL Action +The master MAC address for a host that has multiple network interfaces type: keyword -- -*`fortinet.firewall.ssllocal`*:: +*`fortinet.firewall.mediumcount`*:: + -- -WAD SSL local +Fabric medium count -type: keyword +type: integer -- -*`fortinet.firewall.sslremote`*:: +*`fortinet.firewall.mem`*:: + -- -WAD SSL remote +Memory usage system statistics -type: keyword +type: integer -- -*`fortinet.firewall.stacount`*:: +*`fortinet.firewall.meshmode`*:: + -- -Number of stations/clients +Wireless mesh mode -type: integer +type: keyword -- -*`fortinet.firewall.stage`*:: +*`fortinet.firewall.message_type`*:: + -- -IPSEC stage +VOIP message type type: keyword -- -*`fortinet.firewall.stamac`*:: +*`fortinet.firewall.method`*:: + -- -802.1x station mac +HTTP method type: keyword -- -*`fortinet.firewall.state`*:: +*`fortinet.firewall.mgmtcnt`*:: + -- -Admin login state +The number of unauthorized client flooding managemet frames -type: keyword +type: integer -- -*`fortinet.firewall.status`*:: +*`fortinet.firewall.mode`*:: + -- -Status +IPSEC mode type: keyword -- -*`fortinet.firewall.stitch`*:: +*`fortinet.firewall.module`*:: + -- -Automation stitch triggered +PCI-DSS module type: keyword -- -*`fortinet.firewall.subject`*:: +*`fortinet.firewall.monitor-name`*:: + -- -Email subject +Health Monitor Name type: keyword -- -*`fortinet.firewall.submodule`*:: +*`fortinet.firewall.monitor-type`*:: + -- -Configuration Sub-Module Name +Health Monitor Type type: keyword -- -*`fortinet.firewall.subservice`*:: +*`fortinet.firewall.mpsk`*:: + -- -AV subservice +Wireless MPSK type: keyword -- -*`fortinet.firewall.subtype`*:: +*`fortinet.firewall.msgproto`*:: + -- -Log subtype +Message Protocol Number type: keyword -- -*`fortinet.firewall.suspicious`*:: +*`fortinet.firewall.mtu`*:: + -- -Number of Suspicious MMSs +Max Transmission Unit Value type: integer -- -*`fortinet.firewall.switchproto`*:: +*`fortinet.firewall.name`*:: + -- -Protocol change information +Name type: keyword -- -*`fortinet.firewall.sync_status`*:: +*`fortinet.firewall.nat`*:: + -- -The sync status with the master +NAT IP Address type: keyword -- -*`fortinet.firewall.sync_type`*:: +*`fortinet.firewall.netid`*:: + -- -The sync type with the master +Connector NetID type: keyword -- -*`fortinet.firewall.sysuptime`*:: +*`fortinet.firewall.new_status`*:: + -- -System uptime +New status on user change type: keyword -- -*`fortinet.firewall.tamac`*:: +*`fortinet.firewall.new_value`*:: + -- -the MAC address of Transmitter, if none, then Receiver +New Virtual Domain Name type: keyword -- -*`fortinet.firewall.threattype`*:: +*`fortinet.firewall.newchannel`*:: + -- -WIDS threat type +New Channel Number -type: keyword +type: integer -- -*`fortinet.firewall.time`*:: +*`fortinet.firewall.newchassisid`*:: + -- -Time of the event +New Chassis ID -type: keyword +type: integer -- -*`fortinet.firewall.to`*:: +*`fortinet.firewall.newslot`*:: + -- -Email to field +New Slot Number -type: keyword +type: integer -- -*`fortinet.firewall.to_vcluster`*:: +*`fortinet.firewall.nextstat`*:: + -- -destination virtual cluster number +Time interval in seconds for the next statistics. type: integer -- -*`fortinet.firewall.total`*:: +*`fortinet.firewall.nf_type`*:: + -- -Total memory +Notification Type -type: integer +type: keyword -- -*`fortinet.firewall.totalsession`*:: +*`fortinet.firewall.noise`*:: + -- -Total Number of Sessions +Wifi Noise type: integer -- -*`fortinet.firewall.trace_id`*:: +*`fortinet.firewall.old_status`*:: + -- -Session clash trace ID +Original Status type: keyword -- -*`fortinet.firewall.trandisp`*:: +*`fortinet.firewall.old_value`*:: + -- -NAT translation type +Original Virtual Domain name type: keyword -- -*`fortinet.firewall.transid`*:: +*`fortinet.firewall.oldchannel`*:: + -- -HTTP transaction ID +Original channel type: integer -- -*`fortinet.firewall.translationid`*:: +*`fortinet.firewall.oldchassisid`*:: + -- -DNS filter transaltion ID +Original Chassis Number + + +type: integer + +-- + +*`fortinet.firewall.oldslot`*:: ++ +-- +Original Slot Number + + +type: integer + +-- + +*`fortinet.firewall.oldsn`*:: ++ +-- +Old Serial number type: keyword -- -*`fortinet.firewall.trigger`*:: +*`fortinet.firewall.oldwprof`*:: + -- -Automation stitch trigger +Old Web Filter Profile type: keyword -- -*`fortinet.firewall.trueclntip`*:: +*`fortinet.firewall.onwire`*:: + -- -File filter true client IP +A flag to indicate if the AP is onwire or not -type: ip +type: keyword -- -*`fortinet.firewall.tunnelid`*:: +*`fortinet.firewall.opercountry`*:: + -- -IPSEC tunnel ID +Operating Country -type: integer +type: keyword -- -*`fortinet.firewall.tunnelip`*:: +*`fortinet.firewall.opertxpower`*:: + -- -IPSEC tunnel IP +Operating TX power -type: ip +type: integer -- -*`fortinet.firewall.tunneltype`*:: +*`fortinet.firewall.osname`*:: + -- -IPSEC tunnel type +Operating System name type: keyword -- -*`fortinet.firewall.type`*:: +*`fortinet.firewall.osversion`*:: + -- -Module type +Operating System version type: keyword -- -*`fortinet.firewall.ui`*:: +*`fortinet.firewall.out_spi`*:: + -- -Admin authentication UI type +Out SPI type: keyword -- -*`fortinet.firewall.unauthusersource`*:: +*`fortinet.firewall.outintf`*:: + -- -Unauthenticated user source +Out interface type: keyword -- -*`fortinet.firewall.unit`*:: +*`fortinet.firewall.passedcount`*:: + -- -Power supply unit +Fabric passed count type: integer -- -*`fortinet.firewall.urlfilteridx`*:: +*`fortinet.firewall.passwd`*:: + -- -URL filter ID +Changed user password information -type: integer +type: keyword -- -*`fortinet.firewall.urlfilterlist`*:: +*`fortinet.firewall.path`*:: + -- -URL filter list +Path of looped configuration for security fabric type: keyword -- -*`fortinet.firewall.urlsource`*:: +*`fortinet.firewall.peer`*:: + -- -URL filter source +WAN optimization peer type: keyword -- -*`fortinet.firewall.urltype`*:: +*`fortinet.firewall.peer_notif`*:: + -- -URL filter type +VPN peer notification type: keyword -- -*`fortinet.firewall.used`*:: +*`fortinet.firewall.phase2_name`*:: + -- -Number of Used IPs +VPN phase2 name -type: integer +type: keyword -- -*`fortinet.firewall.used_for_type`*:: +*`fortinet.firewall.phone`*:: + -- -Connection for the type +VOIP Phone -type: integer +type: keyword -- -*`fortinet.firewall.utmaction`*:: +*`fortinet.firewall.pid`*:: + -- -Security action performed by UTM +Process ID -type: keyword +type: integer -- -*`fortinet.firewall.utmref`*:: +*`fortinet.firewall.policytype`*:: + -- -Reference to UTM +Policy Type type: keyword -- -*`fortinet.firewall.vap`*:: +*`fortinet.firewall.poolname`*:: + -- -Virtual AP +IP Pool name type: keyword -- -*`fortinet.firewall.vapmode`*:: +*`fortinet.firewall.port`*:: + -- -Virtual AP mode +Log upload error port -type: keyword +type: integer -- -*`fortinet.firewall.vcluster`*:: +*`fortinet.firewall.portbegin`*:: + -- -virtual cluster id +IP Pool port number to begin type: integer -- -*`fortinet.firewall.vcluster_member`*:: +*`fortinet.firewall.portend`*:: + -- -Virtual cluster member +IP Pool port number to end type: integer -- -*`fortinet.firewall.vcluster_state`*:: +*`fortinet.firewall.probeproto`*:: + -- -Virtual cluster state +Link Monitor Probe Protocol type: keyword -- -*`fortinet.firewall.vd`*:: +*`fortinet.firewall.process`*:: + -- -Virtual Domain Name +URL Filter process type: keyword -- -*`fortinet.firewall.vdname`*:: +*`fortinet.firewall.processtime`*:: + -- -Virtual Domain Name +Process time for reports -type: keyword +type: integer -- -*`fortinet.firewall.vendorurl`*:: +*`fortinet.firewall.profile`*:: + -- -Vulnerability scan vendor name +Profile Name type: keyword -- -*`fortinet.firewall.version`*:: +*`fortinet.firewall.profile_vd`*:: + -- -Version +Virtual Domain Name type: keyword -- -*`fortinet.firewall.vip`*:: +*`fortinet.firewall.profilegroup`*:: + -- -Virtual IP +Profile Group Name type: keyword -- -*`fortinet.firewall.virus`*:: +*`fortinet.firewall.profiletype`*:: + -- -Virus name +Profile Type type: keyword -- -*`fortinet.firewall.virusid`*:: +*`fortinet.firewall.qtypeval`*:: + -- -Virus ID (unique virus identifier) +DNS question type value type: integer -- -*`fortinet.firewall.voip_proto`*:: +*`fortinet.firewall.quarskip`*:: + -- -VOIP protocol +Quarantine skip explanation type: keyword -- -*`fortinet.firewall.vpn`*:: +*`fortinet.firewall.quotaexceeded`*:: + -- -VPN description +If quota has been exceeded type: keyword -- -*`fortinet.firewall.vpntunnel`*:: +*`fortinet.firewall.quotamax`*:: + -- -IPsec Vpn Tunnel Name +Maximum quota allowed - in seconds if time-based - in bytes if traffic-based -type: keyword +type: long -- -*`fortinet.firewall.vpntype`*:: +*`fortinet.firewall.quotatype`*:: + -- -The type of the VPN tunnel +Quota type type: keyword -- -*`fortinet.firewall.vrf`*:: +*`fortinet.firewall.quotaused`*:: + -- -VRF number +Quota used - in seconds if time-based - in bytes if trafficbased) -type: integer +type: long -- -*`fortinet.firewall.vulncat`*:: +*`fortinet.firewall.radioband`*:: + -- -Vulnerability Category +Radio band type: keyword -- -*`fortinet.firewall.vulnid`*:: +*`fortinet.firewall.radioid`*:: + -- -Vulnerability ID +Radio ID type: integer -- -*`fortinet.firewall.vulnname`*:: +*`fortinet.firewall.radioidclosest`*:: + -- -Vulnerability name +Radio ID on the AP closest the rogue AP -type: keyword +type: integer -- -*`fortinet.firewall.vwlid`*:: +*`fortinet.firewall.radioiddetected`*:: + -- -VWL ID +Radio ID on the AP which detected the rogue AP type: integer -- -*`fortinet.firewall.vwlquality`*:: +*`fortinet.firewall.rate`*:: + -- -VWL quality +Wireless rogue rate value type: keyword -- -*`fortinet.firewall.vwlservice`*:: +*`fortinet.firewall.rawdata`*:: + -- -VWL service +Raw data value type: keyword -- -*`fortinet.firewall.vwpvlanid`*:: +*`fortinet.firewall.rawdataid`*:: + -- -VWP VLAN ID +Raw data ID -type: integer +type: keyword -- -*`fortinet.firewall.wanin`*:: +*`fortinet.firewall.rcvddelta`*:: + -- -WAN incoming traffic in bytes +Received bytes delta -type: long +type: keyword -- -*`fortinet.firewall.wanoptapptype`*:: +*`fortinet.firewall.reason`*:: + -- -WAN Optimization Application type +Alert reason type: keyword -- -*`fortinet.firewall.wanout`*:: +*`fortinet.firewall.received`*:: + -- -WAN outgoing traffic in bytes +Server key exchange received -type: long +type: integer -- -*`fortinet.firewall.weakwepiv`*:: +*`fortinet.firewall.receivedsignature`*:: + -- -Weak Wep Initiation Vector +Server key exchange received signature type: keyword -- -*`fortinet.firewall.xauthgroup`*:: +*`fortinet.firewall.red`*:: + -- -XAuth Group Name +Memory information in red type: keyword -- -*`fortinet.firewall.xauthuser`*:: +*`fortinet.firewall.referralurl`*:: + -- -XAuth User Name +Web filter referralurl type: keyword -- -*`fortinet.firewall.xid`*:: +*`fortinet.firewall.remote`*:: + -- -Wireless X ID +Remote PPP IP address -type: integer +type: ip -- -[[exported-fields-gcp]] -== Google Cloud Platform (GCP) fields +*`fortinet.firewall.remotewtptime`*:: ++ +-- +Remote Wifi Radius authentication time -Module for handling logs from Google Cloud. +type: keyword +-- -[float] -=== gcp +*`fortinet.firewall.reporttype`*:: ++ +-- +Report type -Fields from Google Cloud logs. +type: keyword +-- -[float] -=== destination.instance +*`fortinet.firewall.reqtype`*:: ++ +-- +Request type -If the destination of the connection was a VM located on the same VPC, this field is populated with VM instance details. In a Shared VPC configuration, project_id corresponds to the project that owns the instance, usually the service project. +type: keyword +-- -*`gcp.destination.instance.project_id`*:: +*`fortinet.firewall.request_name`*:: + -- -ID of the project containing the VM. +VOIP request name type: keyword -- -*`gcp.destination.instance.region`*:: +*`fortinet.firewall.result`*:: + -- -Region of the VM. +VPN phase result type: keyword -- -*`gcp.destination.instance.zone`*:: +*`fortinet.firewall.role`*:: + -- -Zone of the VM. +VPN Phase 2 role type: keyword -- -[float] -=== destination.vpc +*`fortinet.firewall.rssi`*:: ++ +-- +Received signal strength indicator -If the destination of the connection was a VM located on the same VPC, this field is populated with VPC network details. In a Shared VPC configuration, project_id corresponds to that of the host project. +type: integer +-- -*`gcp.destination.vpc.project_id`*:: +*`fortinet.firewall.rsso_key`*:: + -- -ID of the project containing the VM. +RADIUS SSO attribute value type: keyword -- -*`gcp.destination.vpc.vpc_name`*:: +*`fortinet.firewall.ruledata`*:: + -- -VPC on which the VM is operating. +Rule data type: keyword -- -*`gcp.destination.vpc.subnetwork_name`*:: +*`fortinet.firewall.ruletype`*:: + -- -Subnetwork on which the VM is operating. +Rule type type: keyword -- -[float] -=== source.instance +*`fortinet.firewall.scanned`*:: ++ +-- +Number of Scanned MMSs -If the source of the connection was a VM located on the same VPC, this field is populated with VM instance details. In a Shared VPC configuration, project_id corresponds to the project that owns the instance, usually the service project. +type: integer +-- -*`gcp.source.instance.project_id`*:: +*`fortinet.firewall.scantime`*:: + -- -ID of the project containing the VM. +Scanned time -type: keyword +type: long -- -*`gcp.source.instance.region`*:: +*`fortinet.firewall.scope`*:: + -- -Region of the VM. +FortiGuard Override Scope type: keyword -- -*`gcp.source.instance.zone`*:: +*`fortinet.firewall.security`*:: + -- -Zone of the VM. +Wireless rogue security type: keyword -- -[float] -=== source.vpc +*`fortinet.firewall.sensitivity`*:: ++ +-- +Sensitivity for document fingerprint -If the source of the connection was a VM located on the same VPC, this field is populated with VPC network details. In a Shared VPC configuration, project_id corresponds to that of the host project. +type: keyword +-- -*`gcp.source.vpc.project_id`*:: +*`fortinet.firewall.sensor`*:: + -- -ID of the project containing the VM. +NAC Sensor Name type: keyword -- -*`gcp.source.vpc.vpc_name`*:: +*`fortinet.firewall.sentdelta`*:: + -- -VPC on which the VM is operating. +Sent bytes delta type: keyword -- -*`gcp.source.vpc.subnetwork_name`*:: +*`fortinet.firewall.seq`*:: + -- -Subnetwork on which the VM is operating. +Sequence number type: keyword -- -[float] -=== audit +*`fortinet.firewall.serial`*:: ++ +-- +WAN optimisation serial -Fields for Google Cloud audit logs. +type: keyword +-- -*`gcp.audit.type`*:: +*`fortinet.firewall.serialno`*:: + -- -Type property. +Serial number type: keyword -- -[float] -=== authentication_info +*`fortinet.firewall.server`*:: ++ +-- +AD server FQDN or IP -Authentication information. +type: keyword +-- -*`gcp.audit.authentication_info.principal_email`*:: +*`fortinet.firewall.session_id`*:: + -- -The email address of the authenticated user making the request. +Session ID type: keyword -- -*`gcp.audit.authentication_info.authority_selector`*:: +*`fortinet.firewall.sessionid`*:: + -- -The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority. +WAD Session ID -type: keyword +type: integer -- -*`gcp.audit.authorization_info`*:: +*`fortinet.firewall.setuprate`*:: + -- -Authorization information for the operation. +Session Setup Rate -type: array +type: long -- -*`gcp.audit.method_name`*:: +*`fortinet.firewall.severity`*:: + -- -The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. +Severity type: keyword -- -*`gcp.audit.num_response_items`*:: +*`fortinet.firewall.shaperdroprcvdbyte`*:: + -- -The number of items returned from a List or Query API method, if applicable. +Received bytes dropped by shaper -type: long +type: integer -- -[float] -=== request +*`fortinet.firewall.shaperdropsentbyte`*:: ++ +-- +Sent bytes dropped by shaper -The operation request. +type: integer +-- -*`gcp.audit.request.proto_name`*:: +*`fortinet.firewall.shaperperipdropbyte`*:: + -- -Type property of the request. +Dropped bytes per IP by shaper -type: keyword +type: integer -- -*`gcp.audit.request.filter`*:: +*`fortinet.firewall.shaperperipname`*:: + -- -Filter of the request. +Traffic shaper name (per IP) type: keyword -- -*`gcp.audit.request.name`*:: +*`fortinet.firewall.shaperrcvdname`*:: + -- -Name of the request. +Traffic shaper name for received traffic type: keyword -- -*`gcp.audit.request.resource_name`*:: +*`fortinet.firewall.shapersentname`*:: + -- -Name of the request resource. +Traffic shaper name for sent traffic type: keyword -- -[float] -=== request_metadata +*`fortinet.firewall.shapingpolicyid`*:: ++ +-- +Traffic shaper policy ID -Metadata about the request. +type: integer +-- -*`gcp.audit.request_metadata.caller_ip`*:: +*`fortinet.firewall.signal`*:: + -- -The IP address of the caller. +Wireless rogue API signal -type: ip +type: integer -- -*`gcp.audit.request_metadata.caller_supplied_user_agent`*:: +*`fortinet.firewall.size`*:: + -- -The user agent of the caller. This information is not authenticated and should be treated accordingly. +Email size in bytes -type: keyword +type: long -- -[float] -=== response +*`fortinet.firewall.slot`*:: ++ +-- +Slot number -The operation response. +type: integer +-- -*`gcp.audit.response.proto_name`*:: +*`fortinet.firewall.sn`*:: + -- -Type property of the response. +Security fabric serial number type: keyword -- -[float] -=== details - -The details of the response. - - - -*`gcp.audit.response.details.group`*:: +*`fortinet.firewall.snclosest`*:: + -- -The name of the group. +SN of the AP closest to the rogue AP type: keyword -- -*`gcp.audit.response.details.kind`*:: +*`fortinet.firewall.sndetected`*:: + -- -The kind of the response details. +SN of the AP which detected the rogue AP type: keyword -- -*`gcp.audit.response.details.name`*:: +*`fortinet.firewall.snmeshparent`*:: + -- -The name of the response details. +SN of the mesh parent type: keyword -- -*`gcp.audit.response.details.uid`*:: +*`fortinet.firewall.spi`*:: + -- -The uid of the response details. +IPSEC SPI type: keyword -- -*`gcp.audit.response.status`*:: +*`fortinet.firewall.src_int`*:: + -- -Status of the response. +Source interface type: keyword -- -*`gcp.audit.resource_name`*:: +*`fortinet.firewall.srcintfrole`*:: + -- -The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. +Source interface role type: keyword -- -[float] -=== resource_location - -The location of the resource. - - - -*`gcp.audit.resource_location.current_locations`*:: +*`fortinet.firewall.srccountry`*:: + -- -Current locations of the resource. +Source country type: keyword -- -*`gcp.audit.service_name`*:: +*`fortinet.firewall.srcfamily`*:: + -- -The name of the API service performing the operation. For example, datastore.googleapis.com. +Source family type: keyword -- -[float] -=== status - -The status of the overall operation. - - - -*`gcp.audit.status.code`*:: +*`fortinet.firewall.srchwvendor`*:: + -- -The status code, which should be an enum value of google.rpc.Code. +Source hardware vendor -type: integer +type: keyword -- -*`gcp.audit.status.message`*:: +*`fortinet.firewall.srchwversion`*:: + -- -A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. +Source hardware version type: keyword -- -[float] -=== firewall - -Fields for Google Cloud Firewall logs. - - - -[float] -=== rule_details - -Description of the firewall rule that matched this connection. - - - -*`gcp.firewall.rule_details.priority`*:: +*`fortinet.firewall.srcinetsvc`*:: + -- -The priority for the firewall rule. +Source interface service -type: long + +type: keyword -- -*`gcp.firewall.rule_details.action`*:: +*`fortinet.firewall.srcname`*:: + -- -Action that the rule performs on match. +Source name + type: keyword -- -*`gcp.firewall.rule_details.direction`*:: +*`fortinet.firewall.srcserver`*:: + -- -Direction of traffic that matches this rule. +Source server -type: keyword + +type: integer -- -*`gcp.firewall.rule_details.reference`*:: +*`fortinet.firewall.srcssid`*:: + -- -Reference to the firewall rule. +Source SSID + type: keyword -- -*`gcp.firewall.rule_details.source_range`*:: +*`fortinet.firewall.srcswversion`*:: + -- -List of source ranges that the firewall rule applies to. +Source software version + type: keyword -- -*`gcp.firewall.rule_details.destination_range`*:: +*`fortinet.firewall.srcuuid`*:: + -- -List of destination ranges that the firewall applies to. +Source UUID + type: keyword -- -*`gcp.firewall.rule_details.source_tag`*:: +*`fortinet.firewall.sscname`*:: + -- -List of all the source tags that the firewall rule applies to. +SSC name type: keyword -- -*`gcp.firewall.rule_details.target_tag`*:: +*`fortinet.firewall.ssid`*:: + -- -List of all the target tags that the firewall rule applies to. +Base Service Set ID type: keyword -- -*`gcp.firewall.rule_details.ip_port_info`*:: +*`fortinet.firewall.sslaction`*:: + -- -List of ip protocols and applicable port ranges for rules. +SSL Action -type: array +type: keyword -- -*`gcp.firewall.rule_details.source_service_account`*:: +*`fortinet.firewall.ssllocal`*:: + -- -List of all the source service accounts that the firewall rule applies to. +WAD SSL local type: keyword -- -*`gcp.firewall.rule_details.target_service_account`*:: +*`fortinet.firewall.sslremote`*:: + -- -List of all the target service accounts that the firewall rule applies to. +WAD SSL remote type: keyword -- -[float] -=== vpcflow +*`fortinet.firewall.stacount`*:: ++ +-- +Number of stations/clients -Fields for Google Cloud VPC flow logs. +type: integer +-- -*`gcp.vpcflow.reporter`*:: +*`fortinet.firewall.stage`*:: + -- -The side which reported the flow. Can be either 'SRC' or 'DEST'. +IPSEC stage type: keyword -- -*`gcp.vpcflow.rtt.ms`*:: +*`fortinet.firewall.stamac`*:: + -- -Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. +802.1x station mac -type: long +type: keyword -- -[[exported-fields-google_workspace]] -== google_workspace fields - -Google Workspace Module - - - -[float] -=== google_workspace +*`fortinet.firewall.state`*:: ++ +-- +Admin login state -Google Workspace specific fields. -More information about specific fields can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list +type: keyword +-- -*`google_workspace.actor.type`*:: +*`fortinet.firewall.status`*:: + -- -The type of actor. -Values can be: - *USER*: Another user in the same domain. - *EXTERNAL_USER*: A user outside the domain. - *KEY*: A non-human actor. +Status type: keyword -- -*`google_workspace.actor.key`*:: +*`fortinet.firewall.stitch`*:: + -- -Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts. +Automation stitch triggered type: keyword -- -*`google_workspace.event.type`*:: +*`fortinet.firewall.subject`*:: + -- -The type of Google Workspace event, mapped from `items[].events[].type` in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list +Email subject type: keyword -example: audit#activity - -- -*`google_workspace.kind`*:: +*`fortinet.firewall.submodule`*:: + -- -The type of API resource, mapped from `kind` in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list +Configuration Sub-Module Name type: keyword -example: audit#activity - -- -*`google_workspace.organization.domain`*:: +*`fortinet.firewall.subservice`*:: + -- -The domain that is affected by the report's event. +AV subservice type: keyword -- - -*`google_workspace.admin.application.edition`*:: +*`fortinet.firewall.subtype`*:: + -- -The Google Workspace edition. +Log subtype + type: keyword -- -*`google_workspace.admin.application.name`*:: +*`fortinet.firewall.suspicious`*:: + -- -The application's name. +Number of Suspicious MMSs -type: keyword + +type: integer -- -*`google_workspace.admin.application.enabled`*:: +*`fortinet.firewall.switchproto`*:: + -- -The enabled application. +Protocol change information + type: keyword -- -*`google_workspace.admin.application.licences_order_number`*:: +*`fortinet.firewall.sync_status`*:: + -- -Order number used to redeem licenses. +The sync status with the master + type: keyword -- -*`google_workspace.admin.application.licences_purchased`*:: +*`fortinet.firewall.sync_type`*:: + -- -Number of licences purchased. +The sync type with the master + type: keyword -- -*`google_workspace.admin.application.id`*:: +*`fortinet.firewall.sysuptime`*:: + -- -The application ID. +System uptime + type: keyword -- -*`google_workspace.admin.application.asp_id`*:: +*`fortinet.firewall.tamac`*:: + -- -The application specific password ID. +the MAC address of Transmitter, if none, then Receiver + type: keyword -- -*`google_workspace.admin.application.package_id`*:: +*`fortinet.firewall.threattype`*:: + -- -The mobile application package ID. +WIDS threat type + type: keyword -- -*`google_workspace.admin.group.email`*:: +*`fortinet.firewall.time`*:: + -- -The group's primary email address. +Time of the event + type: keyword -- -*`google_workspace.admin.new_value`*:: +*`fortinet.firewall.to`*:: + -- -The new value for the setting. +Email to field + type: keyword -- -*`google_workspace.admin.old_value`*:: +*`fortinet.firewall.to_vcluster`*:: + -- -The old value for the setting. +destination virtual cluster number -type: keyword + +type: integer -- -*`google_workspace.admin.org_unit.name`*:: +*`fortinet.firewall.total`*:: + -- -The organizational unit name. +Total memory -type: keyword + +type: integer -- -*`google_workspace.admin.org_unit.full`*:: +*`fortinet.firewall.totalsession`*:: + -- -The org unit full path including the root org unit name. +Total Number of Sessions -type: keyword + +type: integer -- -*`google_workspace.admin.setting.name`*:: +*`fortinet.firewall.trace_id`*:: + -- -The setting name. +Session clash trace ID + type: keyword -- -*`google_workspace.admin.user_defined_setting.name`*:: +*`fortinet.firewall.trandisp`*:: + -- -The name of the user-defined setting. +NAT translation type + type: keyword -- -*`google_workspace.admin.setting.description`*:: +*`fortinet.firewall.transid`*:: + -- -The setting name. +HTTP transaction ID -type: keyword + +type: integer -- -*`google_workspace.admin.group.priorities`*:: +*`fortinet.firewall.translationid`*:: + -- -Group priorities. +DNS filter transaltion ID + type: keyword -- -*`google_workspace.admin.domain.alias`*:: +*`fortinet.firewall.trigger`*:: + -- -The domain alias. +Automation stitch trigger + type: keyword -- -*`google_workspace.admin.domain.name`*:: +*`fortinet.firewall.trueclntip`*:: + -- -The primary domain name. +File filter true client IP -type: keyword + +type: ip -- -*`google_workspace.admin.domain.secondary_name`*:: +*`fortinet.firewall.tunnelid`*:: + -- -The secondary domain name. +IPSEC tunnel ID -type: keyword + +type: integer -- -*`google_workspace.admin.managed_configuration`*:: +*`fortinet.firewall.tunnelip`*:: + -- -The name of the managed configuration. +IPSEC tunnel IP -type: keyword + +type: ip -- -*`google_workspace.admin.non_featured_services_selection`*:: +*`fortinet.firewall.tunneltype`*:: + -- -Non-featured services selection. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings#FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED +IPSEC tunnel type type: keyword -- -*`google_workspace.admin.field`*:: +*`fortinet.firewall.type`*:: + -- -The name of the field. +Module type + type: keyword -- -*`google_workspace.admin.resource.id`*:: +*`fortinet.firewall.ui`*:: + -- -The name of the resource identifier. +Admin authentication UI type + type: keyword -- -*`google_workspace.admin.user.email`*:: +*`fortinet.firewall.unauthusersource`*:: + -- -The user's primary email address. +Unauthenticated user source + type: keyword -- -*`google_workspace.admin.user.nickname`*:: +*`fortinet.firewall.unit`*:: + -- -The user's nickname. +Power supply unit -type: keyword + +type: integer -- -*`google_workspace.admin.user.birthdate`*:: +*`fortinet.firewall.urlfilteridx`*:: + -- -The user's birth date. +URL filter ID -type: date + +type: integer -- -*`google_workspace.admin.gateway.name`*:: +*`fortinet.firewall.urlfilterlist`*:: + -- -Gateway name. Present on some chat settings. +URL filter list + type: keyword -- -*`google_workspace.admin.chrome_os.session_type`*:: +*`fortinet.firewall.urlsource`*:: + -- -Chrome OS session type. +URL filter source + type: keyword -- -*`google_workspace.admin.device.serial_number`*:: +*`fortinet.firewall.urltype`*:: + -- -Device serial number. +URL filter type + type: keyword -- -*`google_workspace.admin.device.id`*:: +*`fortinet.firewall.used`*:: + -- -type: keyword +Number of Used IPs + + +type: integer -- -*`google_workspace.admin.device.type`*:: +*`fortinet.firewall.used_for_type`*:: + -- -Device type. +Connection for the type -type: keyword + +type: integer -- -*`google_workspace.admin.print_server.name`*:: +*`fortinet.firewall.utmaction`*:: + -- -The name of the print server. +Security action performed by UTM + type: keyword -- -*`google_workspace.admin.printer.name`*:: +*`fortinet.firewall.utmref`*:: + -- -The name of the printer. +Reference to UTM + type: keyword -- -*`google_workspace.admin.device.command_details`*:: +*`fortinet.firewall.vap`*:: + -- -Command details. +Virtual AP + type: keyword -- -*`google_workspace.admin.role.id`*:: +*`fortinet.firewall.vapmode`*:: + -- -Unique identifier for this role privilege. +Virtual AP mode + type: keyword -- -*`google_workspace.admin.role.name`*:: +*`fortinet.firewall.vcluster`*:: + -- -The role name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings +virtual cluster id -type: keyword +type: integer -- -*`google_workspace.admin.privilege.name`*:: +*`fortinet.firewall.vcluster_member`*:: + -- -Privilege name. +Virtual cluster member -type: keyword + +type: integer -- -*`google_workspace.admin.service.name`*:: +*`fortinet.firewall.vcluster_state`*:: + -- -The service name. +Virtual cluster state + type: keyword -- -*`google_workspace.admin.url.name`*:: +*`fortinet.firewall.vd`*:: + -- -The website name. +Virtual Domain Name + type: keyword -- -*`google_workspace.admin.product.name`*:: +*`fortinet.firewall.vdname`*:: + -- -The product name. +Virtual Domain Name + type: keyword -- -*`google_workspace.admin.product.sku`*:: +*`fortinet.firewall.vendorurl`*:: + -- -The product SKU. +Vulnerability scan vendor name + type: keyword -- -*`google_workspace.admin.bulk_upload.failed`*:: +*`fortinet.firewall.version`*:: + -- -Number of failed records in bulk upload operation. +Version -type: long + +type: keyword -- -*`google_workspace.admin.bulk_upload.total`*:: +*`fortinet.firewall.vip`*:: + -- -Number of total records in bulk upload operation. +Virtual IP -type: long + +type: keyword -- -*`google_workspace.admin.group.allowed_list`*:: +*`fortinet.firewall.virus`*:: + -- -Names of allow-listed groups. +Virus name + type: keyword -- -*`google_workspace.admin.email.quarantine_name`*:: +*`fortinet.firewall.virusid`*:: + -- -The name of the quarantine. +Virus ID (unique virus identifier) -type: keyword + +type: integer -- -*`google_workspace.admin.email.log_search_filter.message_id`*:: +*`fortinet.firewall.voip_proto`*:: + -- -The log search filter's email message ID. +VOIP protocol + type: keyword -- -*`google_workspace.admin.email.log_search_filter.start_date`*:: +*`fortinet.firewall.vpn`*:: + -- -The log search filter's start date. +VPN description -type: date + +type: keyword -- -*`google_workspace.admin.email.log_search_filter.end_date`*:: +*`fortinet.firewall.vpntunnel`*:: + -- -The log search filter's ending date. +IPsec Vpn Tunnel Name -type: date + +type: keyword -- -*`google_workspace.admin.email.log_search_filter.recipient.value`*:: +*`fortinet.firewall.vpntype`*:: + -- -The log search filter's email recipient. +The type of the VPN tunnel + type: keyword -- -*`google_workspace.admin.email.log_search_filter.sender.value`*:: +*`fortinet.firewall.vrf`*:: + -- -The log search filter's email sender. +VRF number -type: keyword + +type: integer -- -*`google_workspace.admin.email.log_search_filter.recipient.ip`*:: +*`fortinet.firewall.vulncat`*:: + -- -The log search filter's email recipient's IP address. +Vulnerability Category -type: ip + +type: keyword -- -*`google_workspace.admin.email.log_search_filter.sender.ip`*:: +*`fortinet.firewall.vulnid`*:: + -- -The log search filter's email sender's IP address. +Vulnerability ID -type: ip + +type: integer -- -*`google_workspace.admin.chrome_licenses.enabled`*:: +*`fortinet.firewall.vulnname`*:: + -- -Licences enabled. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings +Vulnerability name type: keyword -- -*`google_workspace.admin.chrome_licenses.allowed`*:: +*`fortinet.firewall.vwlid`*:: + -- -Licences enabled. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings +VWL ID -type: keyword +type: integer -- -*`google_workspace.admin.oauth2.service.name`*:: +*`fortinet.firewall.vwlquality`*:: + -- -OAuth2 service name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings +VWL quality type: keyword -- -*`google_workspace.admin.oauth2.application.id`*:: +*`fortinet.firewall.vwlservice`*:: + -- -OAuth2 application ID. +VWL service + type: keyword -- -*`google_workspace.admin.oauth2.application.name`*:: +*`fortinet.firewall.vwpvlanid`*:: + -- -OAuth2 application name. +VWP VLAN ID -type: keyword + +type: integer -- -*`google_workspace.admin.oauth2.application.type`*:: +*`fortinet.firewall.wanin`*:: + -- -OAuth2 application type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings +WAN incoming traffic in bytes -type: keyword +type: long -- -*`google_workspace.admin.verification_method`*:: +*`fortinet.firewall.wanoptapptype`*:: + -- -Related verification method. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings and https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings +WAN Optimization Application type type: keyword -- -*`google_workspace.admin.alert.name`*:: +*`fortinet.firewall.wanout`*:: + -- -The alert name. +WAN outgoing traffic in bytes -type: keyword + +type: long -- -*`google_workspace.admin.rule.name`*:: +*`fortinet.firewall.weakwepiv`*:: + -- -The rule name. +Weak Wep Initiation Vector + type: keyword -- -*`google_workspace.admin.api.client.name`*:: +*`fortinet.firewall.xauthgroup`*:: + -- -The API client name. +XAuth Group Name + type: keyword -- -*`google_workspace.admin.api.scopes`*:: +*`fortinet.firewall.xauthuser`*:: + -- -The API scopes. +XAuth User Name + type: keyword -- -*`google_workspace.admin.mdm.token`*:: +*`fortinet.firewall.xid`*:: + -- -The MDM vendor enrollment token. +Wireless X ID -type: keyword + +type: integer -- -*`google_workspace.admin.mdm.vendor`*:: +[[exported-fields-gcp]] +== Google Cloud Platform (GCP) fields + +Module for handling logs from Google Cloud. + + + +[float] +=== gcp + +Fields from Google Cloud logs. + + + +[float] +=== destination.instance + +If the destination of the connection was a VM located on the same VPC, this field is populated with VM instance details. In a Shared VPC configuration, project_id corresponds to the project that owns the instance, usually the service project. + + + +*`gcp.destination.instance.project_id`*:: + -- -The MDM vendor's name. +ID of the project containing the VM. + type: keyword -- -*`google_workspace.admin.info_type`*:: +*`gcp.destination.instance.region`*:: + -- -This will be used to state what kind of information was changed. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings +Region of the VM. type: keyword -- -*`google_workspace.admin.email_monitor.dest_email`*:: +*`gcp.destination.instance.zone`*:: + -- -The destination address of the email monitor. +Zone of the VM. + type: keyword -- -*`google_workspace.admin.email_monitor.level.chat`*:: -+ --- -The chat email monitor level. +[float] +=== destination.vpc -type: keyword +If the destination of the connection was a VM located on the same VPC, this field is populated with VPC network details. In a Shared VPC configuration, project_id corresponds to that of the host project. --- -*`google_workspace.admin.email_monitor.level.draft`*:: + +*`gcp.destination.vpc.project_id`*:: + -- -The draft email monitor level. +ID of the project containing the VM. + type: keyword -- -*`google_workspace.admin.email_monitor.level.incoming`*:: +*`gcp.destination.vpc.vpc_name`*:: + -- -The incoming email monitor level. +VPC on which the VM is operating. + type: keyword -- -*`google_workspace.admin.email_monitor.level.outgoing`*:: +*`gcp.destination.vpc.subnetwork_name`*:: + -- -The outgoing email monitor level. +Subnetwork on which the VM is operating. + type: keyword -- -*`google_workspace.admin.email_dump.include_deleted`*:: -+ --- -Indicates if deleted emails are included in the export. +[float] +=== source.instance -type: boolean +If the source of the connection was a VM located on the same VPC, this field is populated with VM instance details. In a Shared VPC configuration, project_id corresponds to the project that owns the instance, usually the service project. --- -*`google_workspace.admin.email_dump.package_content`*:: + +*`gcp.source.instance.project_id`*:: + -- -The contents of the mailbox package. +ID of the project containing the VM. + type: keyword -- -*`google_workspace.admin.email_dump.query`*:: +*`gcp.source.instance.region`*:: + -- -The search query used for the dump. +Region of the VM. + type: keyword -- -*`google_workspace.admin.request.id`*:: +*`gcp.source.instance.zone`*:: + -- -The request ID. +Zone of the VM. + type: keyword -- -*`google_workspace.admin.mobile.action.id`*:: -+ --- -The mobile device action's ID. +[float] +=== source.vpc -type: keyword +If the source of the connection was a VM located on the same VPC, this field is populated with VPC network details. In a Shared VPC configuration, project_id corresponds to that of the host project. --- -*`google_workspace.admin.mobile.action.type`*:: + +*`gcp.source.vpc.project_id`*:: + -- -The mobile device action's type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings +ID of the project containing the VM. type: keyword -- -*`google_workspace.admin.mobile.certificate.name`*:: +*`gcp.source.vpc.vpc_name`*:: + -- -The mobile certificate common name. +VPC on which the VM is operating. + type: keyword -- -*`google_workspace.admin.mobile.company_owned_devices`*:: +*`gcp.source.vpc.subnetwork_name`*:: + -- -The number of devices a company owns. +Subnetwork on which the VM is operating. -type: long --- +type: keyword -*`google_workspace.admin.distribution.entity.name`*:: -+ -- -The distribution entity value, which can be a group name or an org-unit name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings +[float] +=== audit -type: keyword +Fields for Google Cloud audit logs. --- -*`google_workspace.admin.distribution.entity.type`*:: + +*`gcp.audit.type`*:: + -- -The distribution entity type, which can be a group or an org-unit. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings +Type property. type: keyword -- +[float] +=== authentication_info -*`google_workspace.drive.billable`*:: -+ --- -Whether this activity is billable. +Authentication information. -type: boolean --- -*`google_workspace.drive.source_folder_id`*:: +*`gcp.audit.authentication_info.principal_email`*:: + -- -type: keyword +The email address of the authenticated user making the request. --- -*`google_workspace.drive.source_folder_title`*:: -+ --- type: keyword -- -*`google_workspace.drive.destination_folder_id`*:: +*`gcp.audit.authentication_info.authority_selector`*:: + -- -type: keyword +The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority. --- -*`google_workspace.drive.destination_folder_title`*:: -+ --- type: keyword -- -*`google_workspace.drive.file.id`*:: +*`gcp.audit.authorization_info`*:: + -- -type: keyword +Authorization information for the operation. + + +type: array -- -*`google_workspace.drive.file.type`*:: +*`gcp.audit.method_name`*:: + -- -Document Drive type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive +The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. type: keyword -- -*`google_workspace.drive.originating_app_id`*:: +*`gcp.audit.num_response_items`*:: + -- -The Google Cloud Project ID of the application that performed the action. +The number of items returned from a List or Query API method, if applicable. -type: keyword +type: long -- -*`google_workspace.drive.file.owner.email`*:: -+ --- -type: keyword +[float] +=== request --- +The operation request. -*`google_workspace.drive.file.owner.is_shared_drive`*:: + + +*`gcp.audit.request.proto_name`*:: + -- -Boolean flag denoting whether owner is a shared drive. +Type property of the request. -type: boolean +type: keyword -- -*`google_workspace.drive.primary_event`*:: +*`gcp.audit.request.filter`*:: + -- -Whether this is a primary event. A single user action in Drive may generate several events. +Filter of the request. -type: boolean +type: keyword -- -*`google_workspace.drive.shared_drive_id`*:: +*`gcp.audit.request.name`*:: + -- -The unique identifier of the Team Drive. Only populated for for events relating to a Team Drive or item contained inside a Team Drive. +Name of the request. type: keyword -- -*`google_workspace.drive.visibility`*:: +*`gcp.audit.request.resource_name`*:: + -- -Visibility of target file. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive +Name of the request resource. type: keyword -- -*`google_workspace.drive.new_value`*:: -+ --- -When a setting or property of the file changes, the new value for it will appear here. +[float] +=== request_metadata +Metadata about the request. -type: keyword --- -*`google_workspace.drive.old_value`*:: +*`gcp.audit.request_metadata.caller_ip`*:: + -- -When a setting or property of the file changes, the old value for it will appear here. +The IP address of the caller. -type: keyword +type: ip -- -*`google_workspace.drive.sheets_import_range_recipient_doc`*:: +*`gcp.audit.request_metadata.caller_supplied_user_agent`*:: + -- -Doc ID of the recipient of a sheets import range. +The user agent of the caller. This information is not authenticated and should be treated accordingly. + type: keyword -- -*`google_workspace.drive.old_visibility`*:: -+ --- -When visibility changes, this holds the old value. +[float] +=== response +The operation response. -type: keyword --- -*`google_workspace.drive.visibility_change`*:: +*`gcp.audit.response.proto_name`*:: + -- -When visibility changes, this holds the new overall visibility of the file. +Type property of the response. type: keyword -- -*`google_workspace.drive.target_domain`*:: -+ --- -The domain for which the acccess scope was changed. This can also be the alias all to indicate the access scope was changed for all domains that have visibility for this document. +[float] +=== details +The details of the response. -type: keyword --- -*`google_workspace.drive.added_role`*:: +*`gcp.audit.response.details.group`*:: + -- -Added membership role of a user/group in a Team Drive. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive +The name of the group. type: keyword -- -*`google_workspace.drive.membership_change_type`*:: +*`gcp.audit.response.details.kind`*:: + -- -Type of change in Team Drive membership of a user/group. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive +The kind of the response details. type: keyword -- -*`google_workspace.drive.shared_drive_settings_change_type`*:: +*`gcp.audit.response.details.name`*:: + -- -Type of change in Team Drive settings. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive +The name of the response details. type: keyword -- -*`google_workspace.drive.removed_role`*:: +*`gcp.audit.response.details.uid`*:: + -- -Removed membership role of a user/group in a Team Drive. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive +The uid of the response details. type: keyword -- -*`google_workspace.drive.target`*:: +*`gcp.audit.response.status`*:: + -- -Target user or group. +Status of the response. + type: keyword -- - -*`google_workspace.groups.acl_permission`*:: +*`gcp.audit.resource_name`*:: + -- -Group permission setting updated. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups +The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. type: keyword -- -*`google_workspace.groups.email`*:: -+ --- -Group email. +[float] +=== resource_location +The location of the resource. -type: keyword --- -*`google_workspace.groups.member.email`*:: +*`gcp.audit.resource_location.current_locations`*:: + -- -Member email. +Current locations of the resource. type: keyword -- -*`google_workspace.groups.member.role`*:: +*`gcp.audit.service_name`*:: + -- -Member role. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups +The name of the API service performing the operation. For example, datastore.googleapis.com. type: keyword -- -*`google_workspace.groups.setting`*:: -+ --- -Group setting updated. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups +[float] +=== status +The status of the overall operation. -type: keyword --- -*`google_workspace.groups.new_value`*:: +*`gcp.audit.status.code`*:: + -- -New value(s) of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups +The status code, which should be an enum value of google.rpc.Code. -type: keyword +type: integer -- -*`google_workspace.groups.old_value`*:: +*`gcp.audit.status.message`*:: + -- -Old value(s) of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups +A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. + type: keyword -- -*`google_workspace.groups.value`*:: -+ --- -Value of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups +[float] +=== firewall +Fields for Google Cloud Firewall logs. -type: keyword --- -*`google_workspace.groups.message.id`*:: -+ --- -SMTP message Id of an email message. Present for moderation events. +[float] +=== rule_details +Description of the firewall rule that matched this connection. -type: keyword --- -*`google_workspace.groups.message.moderation_action`*:: +*`gcp.firewall.rule_details.priority`*:: + -- -Message moderation action. Possible values are `approved` and `rejected`. - +The priority for the firewall rule. -type: keyword +type: long -- -*`google_workspace.groups.status`*:: +*`gcp.firewall.rule_details.action`*:: + -- -A status describing the output of an operation. Possible values are `failed` and `succeeded`. - +Action that the rule performs on match. type: keyword -- - -*`google_workspace.login.affected_email_address`*:: +*`gcp.firewall.rule_details.direction`*:: + -- +Direction of traffic that matches this rule. + type: keyword -- -*`google_workspace.login.challenge_method`*:: +*`gcp.firewall.rule_details.reference`*:: + -- -Login challenge method. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. - +Reference to the firewall rule. type: keyword -- -*`google_workspace.login.failure_type`*:: +*`gcp.firewall.rule_details.source_range`*:: + -- -Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. - +List of source ranges that the firewall rule applies to. type: keyword -- -*`google_workspace.login.type`*:: +*`gcp.firewall.rule_details.destination_range`*:: + -- -Login credentials type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. - +List of destination ranges that the firewall applies to. type: keyword -- -*`google_workspace.login.is_second_factor`*:: +*`gcp.firewall.rule_details.source_tag`*:: + -- -type: boolean +List of all the source tags that the firewall rule applies to. --- -*`google_workspace.login.is_suspicious`*:: -+ --- -type: boolean +type: keyword -- - -*`google_workspace.saml.application_name`*:: +*`gcp.firewall.rule_details.target_tag`*:: + -- -Saml SP application name. +List of all the target tags that the firewall rule applies to. type: keyword -- -*`google_workspace.saml.failure_type`*:: +*`gcp.firewall.rule_details.ip_port_info`*:: + -- -Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml. +List of ip protocols and applicable port ranges for rules. -type: keyword +type: array -- -*`google_workspace.saml.initiated_by`*:: +*`gcp.firewall.rule_details.source_service_account`*:: + -- -Requester of SAML authentication. +List of all the source service accounts that the firewall rule applies to. type: keyword -- -*`google_workspace.saml.orgunit_path`*:: +*`gcp.firewall.rule_details.target_service_account`*:: + -- -User orgunit. +List of all the target service accounts that the firewall rule applies to. type: keyword -- -*`google_workspace.saml.status_code`*:: +[float] +=== vpcflow + +Fields for Google Cloud VPC flow logs. + + + +*`gcp.vpcflow.reporter`*:: + -- -SAML status code. +The side which reported the flow. Can be either 'SRC' or 'DEST'. type: keyword -- -*`google_workspace.saml.second_level_status_code`*:: +*`gcp.vpcflow.rtt.ms`*:: + -- -SAML second level status code. +Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. -type: keyword +type: long -- -[[exported-fields-gsuite]] -== gsuite fields +[[exported-fields-google_workspace]] +== google_workspace fields -gsuite Module +Google Workspace Module [float] -=== gsuite +=== google_workspace -Gsuite specific fields. +Google Workspace specific fields. More information about specific fields can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list -*`gsuite.actor.type`*:: +*`google_workspace.actor.type`*:: + -- The type of actor. @@ -72103,7 +65403,7 @@ type: keyword -- -*`gsuite.actor.key`*:: +*`google_workspace.actor.key`*:: + -- Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts. @@ -72113,10 +65413,10 @@ type: keyword -- -*`gsuite.event.type`*:: +*`google_workspace.event.type`*:: + -- -The type of GSuite event, mapped from `items[].events[].type` in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list +The type of Google Workspace event, mapped from `items[].events[].type` in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list type: keyword @@ -72125,7 +65425,7 @@ example: audit#activity -- -*`gsuite.kind`*:: +*`google_workspace.kind`*:: + -- The type of API resource, mapped from `kind` in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list @@ -72137,7 +65437,7 @@ example: audit#activity -- -*`gsuite.organization.domain`*:: +*`google_workspace.organization.domain`*:: + -- The domain that is affected by the report's event. @@ -72148,16 +65448,16 @@ type: keyword -- -*`gsuite.admin.application.edition`*:: +*`google_workspace.admin.application.edition`*:: + -- -The GSuite edition. +The Google Workspace edition. type: keyword -- -*`gsuite.admin.application.name`*:: +*`google_workspace.admin.application.name`*:: + -- The application's name. @@ -72166,7 +65466,7 @@ type: keyword -- -*`gsuite.admin.application.enabled`*:: +*`google_workspace.admin.application.enabled`*:: + -- The enabled application. @@ -72175,7 +65475,7 @@ type: keyword -- -*`gsuite.admin.application.licences_order_number`*:: +*`google_workspace.admin.application.licences_order_number`*:: + -- Order number used to redeem licenses. @@ -72184,7 +65484,7 @@ type: keyword -- -*`gsuite.admin.application.licences_purchased`*:: +*`google_workspace.admin.application.licences_purchased`*:: + -- Number of licences purchased. @@ -72193,7 +65493,7 @@ type: keyword -- -*`gsuite.admin.application.id`*:: +*`google_workspace.admin.application.id`*:: + -- The application ID. @@ -72202,7 +65502,7 @@ type: keyword -- -*`gsuite.admin.application.asp_id`*:: +*`google_workspace.admin.application.asp_id`*:: + -- The application specific password ID. @@ -72211,7 +65511,7 @@ type: keyword -- -*`gsuite.admin.application.package_id`*:: +*`google_workspace.admin.application.package_id`*:: + -- The mobile application package ID. @@ -72220,7 +65520,7 @@ type: keyword -- -*`gsuite.admin.group.email`*:: +*`google_workspace.admin.group.email`*:: + -- The group's primary email address. @@ -72229,7 +65529,7 @@ type: keyword -- -*`gsuite.admin.new_value`*:: +*`google_workspace.admin.new_value`*:: + -- The new value for the setting. @@ -72238,7 +65538,7 @@ type: keyword -- -*`gsuite.admin.old_value`*:: +*`google_workspace.admin.old_value`*:: + -- The old value for the setting. @@ -72247,7 +65547,7 @@ type: keyword -- -*`gsuite.admin.org_unit.name`*:: +*`google_workspace.admin.org_unit.name`*:: + -- The organizational unit name. @@ -72256,7 +65556,7 @@ type: keyword -- -*`gsuite.admin.org_unit.full`*:: +*`google_workspace.admin.org_unit.full`*:: + -- The org unit full path including the root org unit name. @@ -72265,7 +65565,7 @@ type: keyword -- -*`gsuite.admin.setting.name`*:: +*`google_workspace.admin.setting.name`*:: + -- The setting name. @@ -72274,7 +65574,7 @@ type: keyword -- -*`gsuite.admin.user_defined_setting.name`*:: +*`google_workspace.admin.user_defined_setting.name`*:: + -- The name of the user-defined setting. @@ -72283,7 +65583,7 @@ type: keyword -- -*`gsuite.admin.setting.description`*:: +*`google_workspace.admin.setting.description`*:: + -- The setting name. @@ -72292,7 +65592,7 @@ type: keyword -- -*`gsuite.admin.group.priorities`*:: +*`google_workspace.admin.group.priorities`*:: + -- Group priorities. @@ -72301,7 +65601,7 @@ type: keyword -- -*`gsuite.admin.domain.alias`*:: +*`google_workspace.admin.domain.alias`*:: + -- The domain alias. @@ -72310,7 +65610,7 @@ type: keyword -- -*`gsuite.admin.domain.name`*:: +*`google_workspace.admin.domain.name`*:: + -- The primary domain name. @@ -72319,7 +65619,7 @@ type: keyword -- -*`gsuite.admin.domain.secondary_name`*:: +*`google_workspace.admin.domain.secondary_name`*:: + -- The secondary domain name. @@ -72328,7 +65628,7 @@ type: keyword -- -*`gsuite.admin.managed_configuration`*:: +*`google_workspace.admin.managed_configuration`*:: + -- The name of the managed configuration. @@ -72337,7 +65637,7 @@ type: keyword -- -*`gsuite.admin.non_featured_services_selection`*:: +*`google_workspace.admin.non_featured_services_selection`*:: + -- Non-featured services selection. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings#FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED @@ -72347,7 +65647,7 @@ type: keyword -- -*`gsuite.admin.field`*:: +*`google_workspace.admin.field`*:: + -- The name of the field. @@ -72356,7 +65656,7 @@ type: keyword -- -*`gsuite.admin.resource.id`*:: +*`google_workspace.admin.resource.id`*:: + -- The name of the resource identifier. @@ -72365,7 +65665,7 @@ type: keyword -- -*`gsuite.admin.user.email`*:: +*`google_workspace.admin.user.email`*:: + -- The user's primary email address. @@ -72374,7 +65674,7 @@ type: keyword -- -*`gsuite.admin.user.nickname`*:: +*`google_workspace.admin.user.nickname`*:: + -- The user's nickname. @@ -72383,7 +65683,7 @@ type: keyword -- -*`gsuite.admin.user.birthdate`*:: +*`google_workspace.admin.user.birthdate`*:: + -- The user's birth date. @@ -72392,7 +65692,7 @@ type: date -- -*`gsuite.admin.gateway.name`*:: +*`google_workspace.admin.gateway.name`*:: + -- Gateway name. Present on some chat settings. @@ -72401,7 +65701,7 @@ type: keyword -- -*`gsuite.admin.chrome_os.session_type`*:: +*`google_workspace.admin.chrome_os.session_type`*:: + -- Chrome OS session type. @@ -72410,7 +65710,7 @@ type: keyword -- -*`gsuite.admin.device.serial_number`*:: +*`google_workspace.admin.device.serial_number`*:: + -- Device serial number. @@ -72419,14 +65719,14 @@ type: keyword -- -*`gsuite.admin.device.id`*:: +*`google_workspace.admin.device.id`*:: + -- type: keyword -- -*`gsuite.admin.device.type`*:: +*`google_workspace.admin.device.type`*:: + -- Device type. @@ -72435,7 +65735,7 @@ type: keyword -- -*`gsuite.admin.print_server.name`*:: +*`google_workspace.admin.print_server.name`*:: + -- The name of the print server. @@ -72444,7 +65744,7 @@ type: keyword -- -*`gsuite.admin.printer.name`*:: +*`google_workspace.admin.printer.name`*:: + -- The name of the printer. @@ -72453,7 +65753,7 @@ type: keyword -- -*`gsuite.admin.device.command_details`*:: +*`google_workspace.admin.device.command_details`*:: + -- Command details. @@ -72462,7 +65762,7 @@ type: keyword -- -*`gsuite.admin.role.id`*:: +*`google_workspace.admin.role.id`*:: + -- Unique identifier for this role privilege. @@ -72471,7 +65771,7 @@ type: keyword -- -*`gsuite.admin.role.name`*:: +*`google_workspace.admin.role.name`*:: + -- The role name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings @@ -72481,7 +65781,7 @@ type: keyword -- -*`gsuite.admin.privilege.name`*:: +*`google_workspace.admin.privilege.name`*:: + -- Privilege name. @@ -72490,7 +65790,7 @@ type: keyword -- -*`gsuite.admin.service.name`*:: +*`google_workspace.admin.service.name`*:: + -- The service name. @@ -72499,7 +65799,7 @@ type: keyword -- -*`gsuite.admin.url.name`*:: +*`google_workspace.admin.url.name`*:: + -- The website name. @@ -72508,7 +65808,7 @@ type: keyword -- -*`gsuite.admin.product.name`*:: +*`google_workspace.admin.product.name`*:: + -- The product name. @@ -72517,7 +65817,7 @@ type: keyword -- -*`gsuite.admin.product.sku`*:: +*`google_workspace.admin.product.sku`*:: + -- The product SKU. @@ -72526,7 +65826,7 @@ type: keyword -- -*`gsuite.admin.bulk_upload.failed`*:: +*`google_workspace.admin.bulk_upload.failed`*:: + -- Number of failed records in bulk upload operation. @@ -72535,7 +65835,7 @@ type: long -- -*`gsuite.admin.bulk_upload.total`*:: +*`google_workspace.admin.bulk_upload.total`*:: + -- Number of total records in bulk upload operation. @@ -72544,7 +65844,7 @@ type: long -- -*`gsuite.admin.group.allowed_list`*:: +*`google_workspace.admin.group.allowed_list`*:: + -- Names of allow-listed groups. @@ -72553,7 +65853,7 @@ type: keyword -- -*`gsuite.admin.email.quarantine_name`*:: +*`google_workspace.admin.email.quarantine_name`*:: + -- The name of the quarantine. @@ -72562,7 +65862,7 @@ type: keyword -- -*`gsuite.admin.email.log_search_filter.message_id`*:: +*`google_workspace.admin.email.log_search_filter.message_id`*:: + -- The log search filter's email message ID. @@ -72571,7 +65871,7 @@ type: keyword -- -*`gsuite.admin.email.log_search_filter.start_date`*:: +*`google_workspace.admin.email.log_search_filter.start_date`*:: + -- The log search filter's start date. @@ -72580,7 +65880,7 @@ type: date -- -*`gsuite.admin.email.log_search_filter.end_date`*:: +*`google_workspace.admin.email.log_search_filter.end_date`*:: + -- The log search filter's ending date. @@ -72589,7 +65889,7 @@ type: date -- -*`gsuite.admin.email.log_search_filter.recipient.value`*:: +*`google_workspace.admin.email.log_search_filter.recipient.value`*:: + -- The log search filter's email recipient. @@ -72598,7 +65898,7 @@ type: keyword -- -*`gsuite.admin.email.log_search_filter.sender.value`*:: +*`google_workspace.admin.email.log_search_filter.sender.value`*:: + -- The log search filter's email sender. @@ -72607,7 +65907,7 @@ type: keyword -- -*`gsuite.admin.email.log_search_filter.recipient.ip`*:: +*`google_workspace.admin.email.log_search_filter.recipient.ip`*:: + -- The log search filter's email recipient's IP address. @@ -72616,7 +65916,7 @@ type: ip -- -*`gsuite.admin.email.log_search_filter.sender.ip`*:: +*`google_workspace.admin.email.log_search_filter.sender.ip`*:: + -- The log search filter's email sender's IP address. @@ -72625,7 +65925,7 @@ type: ip -- -*`gsuite.admin.chrome_licenses.enabled`*:: +*`google_workspace.admin.chrome_licenses.enabled`*:: + -- Licences enabled. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings @@ -72635,7 +65935,7 @@ type: keyword -- -*`gsuite.admin.chrome_licenses.allowed`*:: +*`google_workspace.admin.chrome_licenses.allowed`*:: + -- Licences enabled. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings @@ -72645,7 +65945,7 @@ type: keyword -- -*`gsuite.admin.oauth2.service.name`*:: +*`google_workspace.admin.oauth2.service.name`*:: + -- OAuth2 service name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings @@ -72655,7 +65955,7 @@ type: keyword -- -*`gsuite.admin.oauth2.application.id`*:: +*`google_workspace.admin.oauth2.application.id`*:: + -- OAuth2 application ID. @@ -72664,7 +65964,7 @@ type: keyword -- -*`gsuite.admin.oauth2.application.name`*:: +*`google_workspace.admin.oauth2.application.name`*:: + -- OAuth2 application name. @@ -72673,7 +65973,7 @@ type: keyword -- -*`gsuite.admin.oauth2.application.type`*:: +*`google_workspace.admin.oauth2.application.type`*:: + -- OAuth2 application type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings @@ -72683,7 +65983,7 @@ type: keyword -- -*`gsuite.admin.verification_method`*:: +*`google_workspace.admin.verification_method`*:: + -- Related verification method. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings and https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings @@ -72693,7 +65993,7 @@ type: keyword -- -*`gsuite.admin.alert.name`*:: +*`google_workspace.admin.alert.name`*:: + -- The alert name. @@ -72702,7 +66002,7 @@ type: keyword -- -*`gsuite.admin.rule.name`*:: +*`google_workspace.admin.rule.name`*:: + -- The rule name. @@ -72711,7 +66011,7 @@ type: keyword -- -*`gsuite.admin.api.client.name`*:: +*`google_workspace.admin.api.client.name`*:: + -- The API client name. @@ -72720,7 +66020,7 @@ type: keyword -- -*`gsuite.admin.api.scopes`*:: +*`google_workspace.admin.api.scopes`*:: + -- The API scopes. @@ -72729,7 +66029,7 @@ type: keyword -- -*`gsuite.admin.mdm.token`*:: +*`google_workspace.admin.mdm.token`*:: + -- The MDM vendor enrollment token. @@ -72738,7 +66038,7 @@ type: keyword -- -*`gsuite.admin.mdm.vendor`*:: +*`google_workspace.admin.mdm.vendor`*:: + -- The MDM vendor's name. @@ -72747,7 +66047,7 @@ type: keyword -- -*`gsuite.admin.info_type`*:: +*`google_workspace.admin.info_type`*:: + -- This will be used to state what kind of information was changed. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings @@ -72757,7 +66057,7 @@ type: keyword -- -*`gsuite.admin.email_monitor.dest_email`*:: +*`google_workspace.admin.email_monitor.dest_email`*:: + -- The destination address of the email monitor. @@ -72766,7 +66066,7 @@ type: keyword -- -*`gsuite.admin.email_monitor.level.chat`*:: +*`google_workspace.admin.email_monitor.level.chat`*:: + -- The chat email monitor level. @@ -72775,7 +66075,7 @@ type: keyword -- -*`gsuite.admin.email_monitor.level.draft`*:: +*`google_workspace.admin.email_monitor.level.draft`*:: + -- The draft email monitor level. @@ -72784,7 +66084,7 @@ type: keyword -- -*`gsuite.admin.email_monitor.level.incoming`*:: +*`google_workspace.admin.email_monitor.level.incoming`*:: + -- The incoming email monitor level. @@ -72793,7 +66093,7 @@ type: keyword -- -*`gsuite.admin.email_monitor.level.outgoing`*:: +*`google_workspace.admin.email_monitor.level.outgoing`*:: + -- The outgoing email monitor level. @@ -72802,7 +66102,7 @@ type: keyword -- -*`gsuite.admin.email_dump.include_deleted`*:: +*`google_workspace.admin.email_dump.include_deleted`*:: + -- Indicates if deleted emails are included in the export. @@ -72811,7 +66111,7 @@ type: boolean -- -*`gsuite.admin.email_dump.package_content`*:: +*`google_workspace.admin.email_dump.package_content`*:: + -- The contents of the mailbox package. @@ -72820,7 +66120,7 @@ type: keyword -- -*`gsuite.admin.email_dump.query`*:: +*`google_workspace.admin.email_dump.query`*:: + -- The search query used for the dump. @@ -72829,7 +66129,7 @@ type: keyword -- -*`gsuite.admin.request.id`*:: +*`google_workspace.admin.request.id`*:: + -- The request ID. @@ -72838,7 +66138,7 @@ type: keyword -- -*`gsuite.admin.mobile.action.id`*:: +*`google_workspace.admin.mobile.action.id`*:: + -- The mobile device action's ID. @@ -72847,7 +66147,7 @@ type: keyword -- -*`gsuite.admin.mobile.action.type`*:: +*`google_workspace.admin.mobile.action.type`*:: + -- The mobile device action's type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings @@ -72857,7 +66157,7 @@ type: keyword -- -*`gsuite.admin.mobile.certificate.name`*:: +*`google_workspace.admin.mobile.certificate.name`*:: + -- The mobile certificate common name. @@ -72866,7 +66166,7 @@ type: keyword -- -*`gsuite.admin.mobile.company_owned_devices`*:: +*`google_workspace.admin.mobile.company_owned_devices`*:: + -- The number of devices a company owns. @@ -72875,7 +66175,7 @@ type: long -- -*`gsuite.admin.distribution.entity.name`*:: +*`google_workspace.admin.distribution.entity.name`*:: + -- The distribution entity value, which can be a group name or an org-unit name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings @@ -72885,7 +66185,7 @@ type: keyword -- -*`gsuite.admin.distribution.entity.type`*:: +*`google_workspace.admin.distribution.entity.type`*:: + -- The distribution entity type, which can be a group or an org-unit. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings @@ -72896,7 +66196,7 @@ type: keyword -- -*`gsuite.drive.billable`*:: +*`google_workspace.drive.billable`*:: + -- Whether this activity is billable. @@ -72905,42 +66205,42 @@ type: boolean -- -*`gsuite.drive.source_folder_id`*:: +*`google_workspace.drive.source_folder_id`*:: + -- type: keyword -- -*`gsuite.drive.source_folder_title`*:: +*`google_workspace.drive.source_folder_title`*:: + -- type: keyword -- -*`gsuite.drive.destination_folder_id`*:: +*`google_workspace.drive.destination_folder_id`*:: + -- type: keyword -- -*`gsuite.drive.destination_folder_title`*:: +*`google_workspace.drive.destination_folder_title`*:: + -- type: keyword -- -*`gsuite.drive.file.id`*:: +*`google_workspace.drive.file.id`*:: + -- type: keyword -- -*`gsuite.drive.file.type`*:: +*`google_workspace.drive.file.type`*:: + -- Document Drive type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive @@ -72950,7 +66250,7 @@ type: keyword -- -*`gsuite.drive.originating_app_id`*:: +*`google_workspace.drive.originating_app_id`*:: + -- The Google Cloud Project ID of the application that performed the action. @@ -72960,14 +66260,14 @@ type: keyword -- -*`gsuite.drive.file.owner.email`*:: +*`google_workspace.drive.file.owner.email`*:: + -- type: keyword -- -*`gsuite.drive.file.owner.is_shared_drive`*:: +*`google_workspace.drive.file.owner.is_shared_drive`*:: + -- Boolean flag denoting whether owner is a shared drive. @@ -72977,7 +66277,7 @@ type: boolean -- -*`gsuite.drive.primary_event`*:: +*`google_workspace.drive.primary_event`*:: + -- Whether this is a primary event. A single user action in Drive may generate several events. @@ -72987,7 +66287,7 @@ type: boolean -- -*`gsuite.drive.shared_drive_id`*:: +*`google_workspace.drive.shared_drive_id`*:: + -- The unique identifier of the Team Drive. Only populated for for events relating to a Team Drive or item contained inside a Team Drive. @@ -72997,7 +66297,7 @@ type: keyword -- -*`gsuite.drive.visibility`*:: +*`google_workspace.drive.visibility`*:: + -- Visibility of target file. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive @@ -73007,7 +66307,7 @@ type: keyword -- -*`gsuite.drive.new_value`*:: +*`google_workspace.drive.new_value`*:: + -- When a setting or property of the file changes, the new value for it will appear here. @@ -73017,7 +66317,7 @@ type: keyword -- -*`gsuite.drive.old_value`*:: +*`google_workspace.drive.old_value`*:: + -- When a setting or property of the file changes, the old value for it will appear here. @@ -73027,7 +66327,7 @@ type: keyword -- -*`gsuite.drive.sheets_import_range_recipient_doc`*:: +*`google_workspace.drive.sheets_import_range_recipient_doc`*:: + -- Doc ID of the recipient of a sheets import range. @@ -73036,7 +66336,7 @@ type: keyword -- -*`gsuite.drive.old_visibility`*:: +*`google_workspace.drive.old_visibility`*:: + -- When visibility changes, this holds the old value. @@ -73046,7 +66346,7 @@ type: keyword -- -*`gsuite.drive.visibility_change`*:: +*`google_workspace.drive.visibility_change`*:: + -- When visibility changes, this holds the new overall visibility of the file. @@ -73056,7 +66356,7 @@ type: keyword -- -*`gsuite.drive.target_domain`*:: +*`google_workspace.drive.target_domain`*:: + -- The domain for which the acccess scope was changed. This can also be the alias all to indicate the access scope was changed for all domains that have visibility for this document. @@ -73066,7 +66366,7 @@ type: keyword -- -*`gsuite.drive.added_role`*:: +*`google_workspace.drive.added_role`*:: + -- Added membership role of a user/group in a Team Drive. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive @@ -73076,7 +66376,7 @@ type: keyword -- -*`gsuite.drive.membership_change_type`*:: +*`google_workspace.drive.membership_change_type`*:: + -- Type of change in Team Drive membership of a user/group. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive @@ -73086,7 +66386,7 @@ type: keyword -- -*`gsuite.drive.shared_drive_settings_change_type`*:: +*`google_workspace.drive.shared_drive_settings_change_type`*:: + -- Type of change in Team Drive settings. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive @@ -73096,7 +66396,7 @@ type: keyword -- -*`gsuite.drive.removed_role`*:: +*`google_workspace.drive.removed_role`*:: + -- Removed membership role of a user/group in a Team Drive. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive @@ -73106,7 +66406,7 @@ type: keyword -- -*`gsuite.drive.target`*:: +*`google_workspace.drive.target`*:: + -- Target user or group. @@ -73116,7 +66416,7 @@ type: keyword -- -*`gsuite.groups.acl_permission`*:: +*`google_workspace.groups.acl_permission`*:: + -- Group permission setting updated. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups @@ -73126,7 +66426,7 @@ type: keyword -- -*`gsuite.groups.email`*:: +*`google_workspace.groups.email`*:: + -- Group email. @@ -73136,7 +66436,7 @@ type: keyword -- -*`gsuite.groups.member.email`*:: +*`google_workspace.groups.member.email`*:: + -- Member email. @@ -73146,7 +66446,7 @@ type: keyword -- -*`gsuite.groups.member.role`*:: +*`google_workspace.groups.member.role`*:: + -- Member role. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups @@ -73156,7 +66456,7 @@ type: keyword -- -*`gsuite.groups.setting`*:: +*`google_workspace.groups.setting`*:: + -- Group setting updated. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups @@ -73166,7 +66466,7 @@ type: keyword -- -*`gsuite.groups.new_value`*:: +*`google_workspace.groups.new_value`*:: + -- New value(s) of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups @@ -73176,7 +66476,7 @@ type: keyword -- -*`gsuite.groups.old_value`*:: +*`google_workspace.groups.old_value`*:: + -- Old value(s) of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups @@ -73185,7 +66485,7 @@ type: keyword -- -*`gsuite.groups.value`*:: +*`google_workspace.groups.value`*:: + -- Value of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups @@ -73195,7 +66495,7 @@ type: keyword -- -*`gsuite.groups.message.id`*:: +*`google_workspace.groups.message.id`*:: + -- SMTP message Id of an email message. Present for moderation events. @@ -73205,7 +66505,7 @@ type: keyword -- -*`gsuite.groups.message.moderation_action`*:: +*`google_workspace.groups.message.moderation_action`*:: + -- Message moderation action. Possible values are `approved` and `rejected`. @@ -73215,7 +66515,7 @@ type: keyword -- -*`gsuite.groups.status`*:: +*`google_workspace.groups.status`*:: + -- A status describing the output of an operation. Possible values are `failed` and `succeeded`. @@ -73226,14 +66526,14 @@ type: keyword -- -*`gsuite.login.affected_email_address`*:: +*`google_workspace.login.affected_email_address`*:: + -- type: keyword -- -*`gsuite.login.challenge_method`*:: +*`google_workspace.login.challenge_method`*:: + -- Login challenge method. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. @@ -73243,7 +66543,7 @@ type: keyword -- -*`gsuite.login.failure_type`*:: +*`google_workspace.login.failure_type`*:: + -- Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. @@ -73253,7 +66553,7 @@ type: keyword -- -*`gsuite.login.type`*:: +*`google_workspace.login.type`*:: + -- Login credentials type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. @@ -73263,14 +66563,14 @@ type: keyword -- -*`gsuite.login.is_second_factor`*:: +*`google_workspace.login.is_second_factor`*:: + -- type: boolean -- -*`gsuite.login.is_suspicious`*:: +*`google_workspace.login.is_suspicious`*:: + -- type: boolean @@ -73278,7 +66578,7 @@ type: boolean -- -*`gsuite.saml.application_name`*:: +*`google_workspace.saml.application_name`*:: + -- Saml SP application name. @@ -73288,7 +66588,7 @@ type: keyword -- -*`gsuite.saml.failure_type`*:: +*`google_workspace.saml.failure_type`*:: + -- Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml. @@ -73298,7 +66598,7 @@ type: keyword -- -*`gsuite.saml.initiated_by`*:: +*`google_workspace.saml.initiated_by`*:: + -- Requester of SAML authentication. @@ -73308,7 +66608,7 @@ type: keyword -- -*`gsuite.saml.orgunit_path`*:: +*`google_workspace.saml.orgunit_path`*:: + -- User orgunit. @@ -73318,7 +66618,7 @@ type: keyword -- -*`gsuite.saml.status_code`*:: +*`google_workspace.saml.status_code`*:: + -- SAML status code. @@ -73328,7 +66628,7 @@ type: keyword -- -*`gsuite.saml.second_level_status_code`*:: +*`google_workspace.saml.second_level_status_code`*:: + -- SAML second level status code. diff --git a/filebeat/docs/modules/cyberark.asciidoc b/filebeat/docs/modules/cyberark.asciidoc deleted file mode 100644 index bff645d0809a..000000000000 --- a/filebeat/docs/modules/cyberark.asciidoc +++ /dev/null @@ -1,79 +0,0 @@ -//// -This file is generated! See scripts/docs_collector.py -//// - -[[filebeat-module-cyberark]] -[role="xpack"] - -:modulename: cyberark -:has-dashboards: false - -== Cyberark module - -deprecated::[7.13.0,"This module is deprecated. Use the <>"] - -This is a module for receiving Cyber-Ark logs over Syslog or a file. - -include::../include/gs-link.asciidoc[] - -include::../include/configuring-intro.asciidoc[] - -:fileset_ex: corepas - -include::../include/config-option-intro.asciidoc[] - -[float] -==== `corepas` fileset settings - -deprecated::[7.13.0] - -NOTE: This was converted from RSA NetWitness log parser XML "cyberark" device revision 124. - -*`var.input`*:: - -The input from which messages are read. One of `file`, `tcp` or `udp`. - -*`var.syslog_host`*:: - -The address to listen to UDP or TCP based syslog traffic. -Defaults to `localhost`. -Set to `0.0.0.0` to bind to all available interfaces. - -*`var.syslog_port`*:: - -The port to listen for syslog traffic. Defaults to `9527` - -NOTE: Ports below 1024 require Filebeat to run as root. - -*`var.tz_offset`*:: - -By default, datetimes in the logs will be interpreted as relative to -the timezone configured in the host where {beatname_uc} is running. If ingesting -logs from a host on a different timezone, use this field to set the timezone -offset so that datetimes are correctly parsed. Valid values are in the form -±HH:mm, for example, `-07:00` for `UTC-7`. - -*`var.rsa_fields`*:: - -Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be added. - -*`var.keep_raw_fields`*:: - -Flag to control the addition of the raw parser fields to the event. This fields -will be found under `rsa.raw`. The default is false. - -:has-dashboards!: - -:fileset_ex!: - -:modulename!: - - - -[float] -=== Fields - -For a description of each field in the module, see the -<> section. - diff --git a/filebeat/docs/modules/gsuite.asciidoc b/filebeat/docs/modules/gsuite.asciidoc deleted file mode 100644 index 2df022216c55..000000000000 --- a/filebeat/docs/modules/gsuite.asciidoc +++ /dev/null @@ -1,146 +0,0 @@ -//// -This file is generated! See scripts/docs_collector.py -//// - -[[filebeat-module-gsuite]] -[role="xpack"] - -:modulename: gsuite -:has-dashboards: false - -== GSuite module - -beta[] - -deprecated::[7.12] - -This is a module for ingesting data from the different GSuite audit reports API's. - -include::../include/gs-link.asciidoc[] - -[float] -=== Compatibility - -It is compatible with a subset of applications under the https://developers.google.com/admin-sdk/reports/v1/get-start/getting-started[Google Reports API v1]. As of today it supports: - -[options="header"] -|=========================================================================================================================================================================================================================== -| GSuite Service | Description | -| SAML https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml[api docs] https://support.google.com/a/answer/7007375?hl=en&ref_topic=9027054[help] | View users’ successful and failed sign-ins to SAML applications. | -| User Accounts https://developers.google.com/admin-sdk/reports/v1/appendix/activity/user-accounts[api docs] https://support.google.com/a/answer/9022875?hl=en&ref_topic=9027054[help] | Audit actions carried out by users on their own accounts including password changes, account recovery details and 2-Step Verification enrollment. | -| Login https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login[api docs] https://support.google.com/a/answer/4580120?hl=en&ref_topic=9027054[help] | Track user sign-in activity to your domain. | -| Admin https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings[api docs] https://support.google.com/a/answer/4579579?hl=en&ref_topic=9027054[help] | View administrator activity performed within the Google Admin console. | -| Drive https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive[api docs] https://support.google.com/a/answer/4579696?hl=en&ref_topic=9027054[help] | Record user activity within Google Drive including content creation in such as Google Docs, as well as content created elsewhere that your users upload to Drive such as PDFs and Microsoft Word files. | -| Groups https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups[api docs] https://support.google.com/a/answer/6270454?hl=en&ref_topic=9027054[help] | Track changes to groups, group memberships and group messages. | -|=========================================================================================================================================================================================================================== - -[float] -=== Configure the module - -In order for Filebeat to ingest data from the Google Reports API you must: - -- Have an *administrator account*. -- https://support.google.com/gsuitemigrate/answer/9222993?hl=en[Set up a ServiceAccount] using the administrator account. -- https://support.google.com/gsuitemigrate/answer/9222865?hl=en[Set up access to the Admin SDK API] for the ServiceAccount. -- https://developers.google.com/admin-sdk/reports/v1/guides/delegation[Enable Domain-Wide Delegation] for your ServiceAccount. - -This module will make use of the following *oauth2 scope*: - -- `https://www.googleapis.com/auth/admin.reports.audit.readonly` - -Once you have downloaded your service account credentials as a JSON file, -you can set up your module: - -[float] -===== Configuration options - -[source,yaml] ----- -- module: gsuite - saml: - enabled: true - var.jwt_file: "./credentials_file.json" - var.delegated_account: "user@example.com" - user_accounts: - enabled: true - var.jwt_file: "./credentials_file.json" - var.delegated_account: "user@example.com" - login: - enabled: true - var.jwt_file: "./credentials_file.json" - var.delegated_account: "user@example.com" - admin: - enabled: true - var.jwt_file: "./credentials_file.json" - var.delegated_account: "user@example.com" - drive: - enabled: true - var.jwt_file: "./credentials_file.json" - var.delegated_account: "user@example.com" - groups: - enabled: true - var.jwt_file: "./credentials_file.json" - var.delegated_account: "user@example.com" ----- - -Every fileset has the following configuration options: - -*`var.jwt_file`*:: - -Specifies the path to the JWT credentials file. - -*`var.delegated_account`*:: - -Email of the admin user used to access the API. - -*`var.http_client_timeout`*:: - -Duration of the time limit on HTTP requests made by the module. Defaults to -`60s`. - -*`var.interval`*:: - -Duration between requests to the API. Defaults to `2h`. - -NOTE: GSuite defaults to a 2 hour polling interval because Google reports can go from -some minutes up to 3 days of delay. For more details on this, you can read more https://support.google.com/a/answer/7061566[here]. - -*`var.user_key`*:: - -Specifies the user key to fetch reports from. Defaults to `all`. - -*`var.initial_interval`*:: - -It will poll events up to this time period when the module starts. This is to prevent polling too many or repeated events on module restarts. Defaults to `24h`. - -[float] -==== GSuite Reports ECS fields - -This is a list of GSuite Reports fields that are mapped to ECS. - -[options="header"] -|=============================================================================================== -| GSuite Reports | ECS Fields | -| `items[].id.time` | `@timestamp` | -| `items[].id.uniqueQualifier` | `event.id` | -| `items[].id.applicationName` | `event.provider` | -| `items[].events[].name` | `event.action` | -| `items[].customerId` | `organization.id` | -| `items[].ipAddress` | `source.ip`, related.ip`, `source.as.*`, `source.geo.*` | -| `items[].actor.email` | `source.user.email`, `source.user.name`, `source.user.domain` | -| `items[].actor.profileId` | `source.user.id` | -|=============================================================================================== - -These are the common ones to all filesets. - -:has-dashboards!: - -:modulename!: - - -[float] -=== Fields - -For a description of each field in the module, see the -<> section. - diff --git a/filebeat/docs/modules_list.asciidoc b/filebeat/docs/modules_list.asciidoc index bb588001ee1e..c55da6935add 100644 --- a/filebeat/docs/modules_list.asciidoc +++ b/filebeat/docs/modules_list.asciidoc @@ -16,7 +16,6 @@ This file is generated! See scripts/docs_collector.py * <> * <> * <> - * <> * <> * <> * <> @@ -25,7 +24,6 @@ This file is generated! See scripts/docs_collector.py * <> * <> * <> - * <> * <> * <> * <> @@ -91,7 +89,6 @@ include::modules/checkpoint.asciidoc[] include::modules/cisco.asciidoc[] include::modules/coredns.asciidoc[] include::modules/crowdstrike.asciidoc[] -include::modules/cyberark.asciidoc[] include::modules/cyberarkpas.asciidoc[] include::modules/cylance.asciidoc[] include::modules/elasticsearch.asciidoc[] @@ -100,7 +97,6 @@ include::modules/f5.asciidoc[] include::modules/fortinet.asciidoc[] include::modules/gcp.asciidoc[] include::modules/google_workspace.asciidoc[] -include::modules/gsuite.asciidoc[] include::modules/haproxy.asciidoc[] include::modules/ibmmq.asciidoc[] include::modules/icinga.asciidoc[] diff --git a/filebeat/tests/system/test_modules.py b/filebeat/tests/system/test_modules.py index a9ce3637939d..3702de33c94b 100644 --- a/filebeat/tests/system/test_modules.py +++ b/filebeat/tests/system/test_modules.py @@ -128,7 +128,8 @@ def run_on_file(self, module, fileset, test_file, cfgfile): # Based on the convention that if a name contains -json the json format is needed. Currently used for LS. if "-json" in test_file: cmd.append("-M") - cmd.append("{module}.{fileset}.var.format=json".format(module=module, fileset=fileset)) + cmd.append("{module}.{fileset}.var.format=json".format( + module=module, fileset=fileset)) output_path = os.path.join(self.working_dir) # Runs inside a with block to ensure file is closed afterwards @@ -152,8 +153,10 @@ def run_on_file(self, module, fileset, test_file, cfgfile): # List of errors to check in filebeat output logs errors = ["error loading pipeline for fileset"] # Checks if the output of filebeat includes errors - contains_error, error_line = file_contains(os.path.join(output_path, "output.log"), errors) - assert contains_error is False, "Error found in log:{}".format(error_line) + contains_error, error_line = file_contains( + os.path.join(output_path, "output.log"), errors) + assert contains_error is False, "Error found in log:{}".format( + error_line) # Make sure index exists self.wait_until(lambda: self.es.indices.exists(self.index_name)) @@ -198,7 +201,8 @@ def _test_expected_events(self, test_file, objects): if isinstance(objects[k][key], list): objects[k][key].sort(key=str) - json.dump(objects, f, indent=4, separators=(',', ': '), sort_keys=True) + json.dump(objects, f, indent=4, separators=( + ',', ': '), sort_keys=True) with open(test_file + "-expected.json", "r") as f: expected = json.load(f) @@ -226,7 +230,8 @@ def _test_expected_events(self, test_file, objects): d = DeepDiff(ev, obj, ignore_order=True) - assert len(d) == 0, "The following expected object doesn't match:\n Diff:\n{}, full object: \n{}".format(d, obj) + assert len( + d) == 0, "The following expected object doesn't match:\n Diff:\n{}, full object: \n{}".format(d, obj) def clean_keys(obj): @@ -252,7 +257,6 @@ def clean_keys(obj): "cisco.asa", "cisco.ios", "citrix.netscaler", - "cyberark.corepas", "cylance.protect", "f5.bigipafm", "fortinet.clientendpoint", @@ -273,14 +277,6 @@ def clean_keys(obj): "microsoft.defender_atp", "crowdstrike.falcon_endpoint", "crowdstrike.falcon_audit", - "gsuite.admin", - "gsuite.config", - "gsuite.drive", - "gsuite.groups", - "gsuite.ingest", - "gsuite.login", - "gsuite.saml", - "gsuite.user_accounts", "zoom.webhook", "threatintel.otx", "threatintel.abuseurl", diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index acb3e5d1cd17..17d9f6e5924b 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -763,29 +763,6 @@ filebeat.modules: # Filebeat will choose the paths depending on your OS. #var.paths: -#------------------------------ Cyber-Ark Module ------------------------------ -# The cyberark module is deprecated and will be removed in future releases. -# Please use the Cyberark Privileged Account Security (cyberarkpas) module instead. -- module: cyberark - corepas: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9527 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local - #----------------------------- CyberArk PAS Module ----------------------------- - module: cyberarkpas audit: @@ -1183,58 +1160,6 @@ filebeat.modules: # the subscription. var.credentials_file: ${path.config}/gcp-service-account-xyz.json -#-------------------------------- Gsuite Module -------------------------------- -# Gsuite module is deprecated and will be removed in future releases. Please use Google Workspace module instead. -- module: gsuite - saml: - enabled: false - # var.jwt_file: credentials.json - # var.delegated_account: admin@example.com - # var.initial_interval: 24h - # var.http_client_timeout: 60s - # var.user_key: all - # var.interval: 2h - user_accounts: - enabled: false - # var.jwt_file: credentials.json - # var.delegated_account: admin@example.com - # var.initial_interval: 24h - # var.http_client_timeout: 60s - # var.user_key: all - # var.interval: 2h - login: - enabled: false - # var.jwt_file: credentials.json - # var.delegated_account: admin@example.com - # var.initial_interval: 24h - # var.http_client_timeout: 60s - # var.user_key: all - # var.interval: 2h - admin: - enabled: false - # var.jwt_file: credentials.json - # var.delegated_account: admin@example.com - # var.initial_interval: 24h - # var.http_client_timeout: 60s - # var.user_key: all - # var.interval: 2h - drive: - enabled: false - # var.jwt_file: credentials.json - # var.delegated_account: admin@example.com - # var.initial_interval: 24h - # var.http_client_timeout: 60s - # var.user_key: all - # var.interval: 2h - groups: - enabled: false - # var.jwt_file: credentials.json - # var.delegated_account: admin@example.com - # var.initial_interval: 24h - # var.http_client_timeout: 60s - # var.user_key: all - # var.interval: 2h - #------------------------------- HAProxy Module ------------------------------- - module: haproxy # All logs diff --git a/x-pack/filebeat/include/list.go b/x-pack/filebeat/include/list.go index 995cc2a7a0e4..adfb028469c5 100644 --- a/x-pack/filebeat/include/list.go +++ b/x-pack/filebeat/include/list.go @@ -24,7 +24,6 @@ import ( _ "github.com/elastic/beats/v7/x-pack/filebeat/module/cisco" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/coredns" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/crowdstrike" - _ "github.com/elastic/beats/v7/x-pack/filebeat/module/cyberark" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/cyberarkpas" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/cylance" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/envoyproxy" @@ -32,7 +31,6 @@ import ( _ "github.com/elastic/beats/v7/x-pack/filebeat/module/fortinet" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/gcp" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/google_workspace" - _ "github.com/elastic/beats/v7/x-pack/filebeat/module/gsuite" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/ibmmq" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/imperva" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/infoblox" diff --git a/x-pack/filebeat/module/cyberark/README.md b/x-pack/filebeat/module/cyberark/README.md deleted file mode 100644 index 80bba69debc7..000000000000 --- a/x-pack/filebeat/module/cyberark/README.md +++ /dev/null @@ -1,7 +0,0 @@ -# cyberark module - -This is a module for Cyber-Ark logs. - -Autogenerated from RSA NetWitness log parser 2.0 XML cyberark version 124 -at 2020-09-01 14:17:46.365057 +0000 UTC. - diff --git a/x-pack/filebeat/module/cyberark/_meta/config.yml b/x-pack/filebeat/module/cyberark/_meta/config.yml deleted file mode 100644 index 9b0e08f26c88..000000000000 --- a/x-pack/filebeat/module/cyberark/_meta/config.yml +++ /dev/null @@ -1,21 +0,0 @@ -# The cyberark module is deprecated and will be removed in future releases. -# Please use the Cyberark Privileged Account Security (cyberarkpas) module instead. -- module: cyberark - corepas: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9527 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local diff --git a/x-pack/filebeat/module/cyberark/_meta/docs.asciidoc b/x-pack/filebeat/module/cyberark/_meta/docs.asciidoc deleted file mode 100644 index 5d349be9bfe0..000000000000 --- a/x-pack/filebeat/module/cyberark/_meta/docs.asciidoc +++ /dev/null @@ -1,66 +0,0 @@ -[role="xpack"] - -:modulename: cyberark -:has-dashboards: false - -== Cyberark module - -deprecated::[7.13.0,"This module is deprecated. Use the <>"] - -This is a module for receiving Cyber-Ark logs over Syslog or a file. - -include::../include/gs-link.asciidoc[] - -include::../include/configuring-intro.asciidoc[] - -:fileset_ex: corepas - -include::../include/config-option-intro.asciidoc[] - -[float] -==== `corepas` fileset settings - -deprecated::[7.13.0] - -NOTE: This was converted from RSA NetWitness log parser XML "cyberark" device revision 124. - -*`var.input`*:: - -The input from which messages are read. One of `file`, `tcp` or `udp`. - -*`var.syslog_host`*:: - -The address to listen to UDP or TCP based syslog traffic. -Defaults to `localhost`. -Set to `0.0.0.0` to bind to all available interfaces. - -*`var.syslog_port`*:: - -The port to listen for syslog traffic. Defaults to `9527` - -NOTE: Ports below 1024 require Filebeat to run as root. - -*`var.tz_offset`*:: - -By default, datetimes in the logs will be interpreted as relative to -the timezone configured in the host where {beatname_uc} is running. If ingesting -logs from a host on a different timezone, use this field to set the timezone -offset so that datetimes are correctly parsed. Valid values are in the form -±HH:mm, for example, `-07:00` for `UTC-7`. - -*`var.rsa_fields`*:: - -Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be added. - -*`var.keep_raw_fields`*:: - -Flag to control the addition of the raw parser fields to the event. This fields -will be found under `rsa.raw`. The default is false. - -:has-dashboards!: - -:fileset_ex!: - -:modulename!: - diff --git a/x-pack/filebeat/module/cyberark/_meta/fields.yml b/x-pack/filebeat/module/cyberark/_meta/fields.yml deleted file mode 100644 index ab0db4113c78..000000000000 --- a/x-pack/filebeat/module/cyberark/_meta/fields.yml +++ /dev/null @@ -1,5 +0,0 @@ -- key: cyberark - title: Cyber-Ark - description: > - cyberark fields. - fields: diff --git a/x-pack/filebeat/module/cyberark/corepas/_meta/fields.yml b/x-pack/filebeat/module/cyberark/corepas/_meta/fields.yml deleted file mode 100644 index ecf61b431da2..000000000000 --- a/x-pack/filebeat/module/cyberark/corepas/_meta/fields.yml +++ /dev/null @@ -1,2637 +0,0 @@ -- name: network.interface.name - overwrite: true - type: keyword - default_field: false - description: > - Name of the network interface where the traffic has been observed. -- name: rsa - overwrite: true - type: group - default_field: false - fields: - - name: internal - overwrite: true - type: group - fields: - - name: msg - overwrite: true - type: keyword - description: This key is used to capture the raw message that comes into the - Log Decoder - - name: messageid - overwrite: true - type: keyword - - name: event_desc - overwrite: true - type: keyword - - name: message - overwrite: true - type: keyword - description: This key captures the contents of instant messages - - name: time - overwrite: true - type: date - description: This is the time at which a session hits a NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness. - - name: level - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: msg_id - overwrite: true - type: keyword - description: This is the Message ID1 value that identifies the exact log parser - definition which parses a particular log session. This key should never be - used to parse Meta data from a session (Logs/Packets) Directly, this is a - Reserved key in NetWitness - - name: msg_vid - overwrite: true - type: keyword - description: This is the Message ID2 value that identifies the exact log parser - definition which parses a particular log session. This key should never be - used to parse Meta data from a session (Logs/Packets) Directly, this is a - Reserved key in NetWitness - - name: data - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_server - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_val - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: resource - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_id - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: statement - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: audit_class - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: entry - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: hcode - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: inode - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: resource_class - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: dead - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: feed_desc - overwrite: true - type: keyword - description: This is used to capture the description of the feed. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: feed_name - overwrite: true - type: keyword - description: This is used to capture the name of the feed. This key should never - be used to parse Meta data from a session (Logs/Packets) Directly, this is - a Reserved key in NetWitness - - name: cid - overwrite: true - type: keyword - description: This is the unique identifier used to identify a NetWitness Concentrator. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: device_class - overwrite: true - type: keyword - description: This is the Classification of the Log Event Source under a predefined - fixed set of Event Source Classifications. This key should never be used to - parse Meta data from a session (Logs/Packets) Directly, this is a Reserved - key in NetWitness - - name: device_group - overwrite: true - type: keyword - description: This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_host - overwrite: true - type: keyword - description: This is the Hostname of the log Event Source sending the logs to - NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ip - overwrite: true - type: ip - description: This is the IPv4 address of the Log Event Source sending the logs - to NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ipv6 - overwrite: true - type: ip - description: This is the IPv6 address of the Log Event Source sending the logs - to NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type - overwrite: true - type: keyword - description: This is the name of the log parser which parsed a given session. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: device_type_id - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: did - overwrite: true - type: keyword - description: This is the unique identifier used to identify a NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: entropy_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the Meta Type can - be either UInt16 or Float32 based on the configuration - - name: entropy_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the Meta Type can - be either UInt16 or Float32 based on the configuration - - name: event_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: feed_category - overwrite: true - type: keyword - description: This is used to capture the category of the feed. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: forward_ip - overwrite: true - type: ip - description: This key should be used to capture the IPV4 address of a relay - system which forwarded the events from the original system to NetWitness. - - name: forward_ipv6 - overwrite: true - type: ip - description: This key is used to capture the IPV6 address of a relay system - which forwarded the events from the original system to NetWitness. This key - should never be used to parse Meta data from a session (Logs/Packets) Directly, - this is a Reserved key in NetWitness - - name: header_id - overwrite: true - type: keyword - description: This is the Header ID value that identifies the exact log parser - header definition that parses a particular log session. This key should never - be used to parse Meta data from a session (Logs/Packets) Directly, this is - a Reserved key in NetWitness - - name: lc_cid - overwrite: true - type: keyword - description: This is a unique Identifier of a Log Collector. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: lc_ctime - overwrite: true - type: date - description: This is the time at which a log is collected in a NetWitness Log - Collector. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: mcb_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - request is simply which byte for each side (0 thru 255) was seen the most - - name: mcb_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - response is simply which byte for each side (0 thru 255) was seen the most - - name: mcbc_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - count is the number of times the most common byte (above) was seen in the - session streams - - name: mcbc_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - count is the number of times the most common byte (above) was seen in the - session streams - - name: medium - overwrite: true - type: long - description: "This key is used to identify if it\u2019s a log/packet session\ - \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ - \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ - \ 32 = log, 33 = correlation session, < 32 is packet session" - - name: node_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: nwe_callback_id - overwrite: true - type: keyword - description: This key denotes that event is endpoint related - - name: parse_error - overwrite: true - type: keyword - description: This is a special key that stores any Meta key validation error - found while parsing a log session. This key should never be used to parse - Meta data from a session (Logs/Packets) Directly, this is a Reserved key in - NetWitness - - name: payload_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the payload size metrics - are the payload sizes of each session side at the time of parsing. However, - in order to keep - - name: payload_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the payload size metrics - are the payload sizes of each session side at the time of parsing. However, - in order to keep - - name: process_vid_dst - overwrite: true - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any - similar group of process. This ID represents the target process. - - name: process_vid_src - overwrite: true - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any - similar group of process. This ID represents the source process. - - name: rid - overwrite: true - type: long - description: This is a special ID of the Remote Session created by NetWitness - Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: session_split - overwrite: true - type: keyword - description: This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: site - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: size - overwrite: true - type: long - description: This is the size of the session as seen by the NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: sourcefile - overwrite: true - type: keyword - description: This is the name of the log file or PCAPs that can be imported - into NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: ubc_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, Unique byte count - is the number of unique bytes seen in each stream. 256 would mean all byte - values of 0 thru 255 were seen at least once - - name: ubc_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, Unique byte count - is the number of unique bytes seen in each stream. 256 would mean all byte - values of 0 thru 255 were seen at least once - - name: word - overwrite: true - type: keyword - description: This is used by the Word Parsing technology to capture the first - 5 character of every word in an unparsed log - - name: time - overwrite: true - type: group - fields: - - name: event_time - overwrite: true - type: date - description: This key is used to capture the time mentioned in a raw session - that represents the actual time an event occured in a standard normalized - form - - name: duration_time - overwrite: true - type: double - description: This key is used to capture the normalized duration/lifetime in - seconds. - - name: event_time_str - overwrite: true - type: keyword - description: This key is used to capture the incomplete time mentioned in a - session as a string - - name: starttime - overwrite: true - type: date - description: This key is used to capture the Start time mentioned in a session - in a standard form - - name: month - overwrite: true - type: keyword - - name: day - overwrite: true - type: keyword - - name: endtime - overwrite: true - type: date - description: This key is used to capture the End time mentioned in a session - in a standard form - - name: timezone - overwrite: true - type: keyword - description: This key is used to capture the timezone of the Event Time - - name: duration_str - overwrite: true - type: keyword - description: A text string version of the duration - - name: date - overwrite: true - type: keyword - - name: year - overwrite: true - type: keyword - - name: recorded_time - overwrite: true - type: date - description: The event time as recorded by the system the event is collected - from. The usage scenario is a multi-tier application where the management - layer of the system records it's own timestamp at the time of collection from - its child nodes. Must be in timestamp format. - - name: datetime - overwrite: true - type: keyword - - name: effective_time - overwrite: true - type: date - description: This key is the effective time referenced by an individual event - in a Standard Timestamp format - - name: expire_time - overwrite: true - type: date - description: This key is the timestamp that explicitly refers to an expiration. - - name: process_time - overwrite: true - type: keyword - description: Deprecated, use duration.time - - name: hour - overwrite: true - type: keyword - - name: min - overwrite: true - type: keyword - - name: timestamp - overwrite: true - type: keyword - - name: event_queue_time - overwrite: true - type: date - description: This key is the Time that the event was queued. - - name: p_time1 - overwrite: true - type: keyword - - name: tzone - overwrite: true - type: keyword - - name: eventtime - overwrite: true - type: keyword - - name: gmtdate - overwrite: true - type: keyword - - name: gmttime - overwrite: true - type: keyword - - name: p_date - overwrite: true - type: keyword - - name: p_month - overwrite: true - type: keyword - - name: p_time - overwrite: true - type: keyword - - name: p_time2 - overwrite: true - type: keyword - - name: p_year - overwrite: true - type: keyword - - name: expire_time_str - overwrite: true - type: keyword - description: This key is used to capture incomplete timestamp that explicitly - refers to an expiration. - - name: stamp - overwrite: true - type: date - description: Deprecated key defined only in table map. - - name: misc - overwrite: true - type: group - fields: - - name: action - overwrite: true - type: keyword - - name: result - overwrite: true - type: keyword - description: This key is used to capture the outcome/result string value of - an action in a session. - - name: severity - overwrite: true - type: keyword - description: This key is used to capture the severity given the session - - name: event_type - overwrite: true - type: keyword - description: This key captures the event category type as specified by the event - source. - - name: reference_id - overwrite: true - type: keyword - description: This key is used to capture an event id from the session directly - - name: version - overwrite: true - type: keyword - description: This key captures Version of the application or OS which is generating - the event. - - name: disposition - overwrite: true - type: keyword - description: This key captures the The end state of an action. - - name: result_code - overwrite: true - type: keyword - description: This key is used to capture the outcome/result numeric value of - an action in a session - - name: category - overwrite: true - type: keyword - description: This key is used to capture the category of an event given by the - vendor in the session - - name: obj_name - overwrite: true - type: keyword - description: This is used to capture name of object - - name: obj_type - overwrite: true - type: keyword - description: This is used to capture type of object - - name: event_source - overwrite: true - type: keyword - description: "This key captures Source of the event that\u2019s not a hostname" - - name: log_session_id - overwrite: true - type: keyword - description: This key is used to capture a sessionid from the session directly - - name: group - overwrite: true - type: keyword - description: This key captures the Group Name value - - name: policy_name - overwrite: true - type: keyword - description: This key is used to capture the Policy Name only. - - name: rule_name - overwrite: true - type: keyword - description: This key captures the Rule Name - - name: context - overwrite: true - type: keyword - description: This key captures Information which adds additional context to - the event. - - name: change_new - overwrite: true - type: keyword - description: "This key is used to capture the new values of the attribute that\u2019\ - s changing in a session" - - name: space - overwrite: true - type: keyword - - name: client - overwrite: true - type: keyword - description: This key is used to capture only the name of the client application - requesting resources of the server. See the user.agent meta key for capture - of the specific user agent identifier or browser identification string. - - name: msgIdPart1 - overwrite: true - type: keyword - - name: msgIdPart2 - overwrite: true - type: keyword - - name: change_old - overwrite: true - type: keyword - description: "This key is used to capture the old value of the attribute that\u2019\ - s changing in a session" - - name: operation_id - overwrite: true - type: keyword - description: An alert number or operation number. The values should be unique - and non-repeating. - - name: event_state - overwrite: true - type: keyword - description: This key captures the current state of the object/item referenced - within the event. Describing an on-going event. - - name: group_object - overwrite: true - type: keyword - description: This key captures a collection/grouping of entities. Specific usage - - name: node - overwrite: true - type: keyword - description: Common use case is the node name within a cluster. The cluster - name is reflected by the host name. - - name: rule - overwrite: true - type: keyword - description: This key captures the Rule number - - name: device_name - overwrite: true - type: keyword - description: 'This is used to capture name of the Device associated with the - node Like: a physical disk, printer, etc' - - name: param - overwrite: true - type: keyword - description: This key is the parameters passed as part of a command or application, - etc. - - name: change_attrib - overwrite: true - type: keyword - description: "This key is used to capture the name of the attribute that\u2019\ - s changing in a session" - - name: event_computer - overwrite: true - type: keyword - description: This key is a windows only concept, where this key is used to capture - fully qualified domain name in a windows log. - - name: reference_id1 - overwrite: true - type: keyword - description: This key is for Linked ID to be used as an addition to "reference.id" - - name: event_log - overwrite: true - type: keyword - description: This key captures the Name of the event log - - name: OS - overwrite: true - type: keyword - description: This key captures the Name of the Operating System - - name: terminal - overwrite: true - type: keyword - description: This key captures the Terminal Names only - - name: msgIdPart3 - overwrite: true - type: keyword - - name: filter - overwrite: true - type: keyword - description: This key captures Filter used to reduce result set - - name: serial_number - overwrite: true - type: keyword - description: This key is the Serial number associated with a physical asset. - - name: checksum - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the entity - such as a file or process. Checksum should be used over checksum.src or checksum.dst - when it is unclear whether the entity is a source or target of an action. - - name: event_user - overwrite: true - type: keyword - description: This key is a windows only concept, where this key is used to capture - combination of domain name and username in a windows log. - - name: virusname - overwrite: true - type: keyword - description: This key captures the name of the virus - - name: content_type - overwrite: true - type: keyword - description: This key is used to capture Content Type only. - - name: group_id - overwrite: true - type: keyword - description: This key captures Group ID Number (related to the group name) - - name: policy_id - overwrite: true - type: keyword - description: This key is used to capture the Policy ID only, this should be - a numeric value, use policy.name otherwise - - name: vsys - overwrite: true - type: keyword - description: This key captures Virtual System Name - - name: connection_id - overwrite: true - type: keyword - description: This key captures the Connection ID - - name: reference_id2 - overwrite: true - type: keyword - description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" - or "reference.id1" value but should not be used unless the other two variables - are in play. - - name: sensor - overwrite: true - type: keyword - description: This key captures Name of the sensor. Typically used in IDS/IPS - based devices - - name: sig_id - overwrite: true - type: long - description: This key captures IDS/IPS Int Signature ID - - name: port_name - overwrite: true - type: keyword - description: 'This key is used for Physical or logical port connection but does - NOT include a network port. (Example: Printer port name).' - - name: rule_group - overwrite: true - type: keyword - description: This key captures the Rule group name - - name: risk_num - overwrite: true - type: double - description: This key captures a Numeric Risk value - - name: trigger_val - overwrite: true - type: keyword - description: This key captures the Value of the trigger or threshold condition. - - name: log_session_id1 - overwrite: true - type: keyword - description: This key is used to capture a Linked (Related) Session ID from - the session directly - - name: comp_version - overwrite: true - type: keyword - description: This key captures the Version level of a sub-component of a product. - - name: content_version - overwrite: true - type: keyword - description: This key captures Version level of a signature or database content. - - name: hardware_id - overwrite: true - type: keyword - description: This key is used to capture unique identifier for a device or system - (NOT a Mac address) - - name: risk - overwrite: true - type: keyword - description: This key captures the non-numeric risk value - - name: event_id - overwrite: true - type: keyword - - name: reason - overwrite: true - type: keyword - - name: status - overwrite: true - type: keyword - - name: mail_id - overwrite: true - type: keyword - description: This key is used to capture the mailbox id/name - - name: rule_uid - overwrite: true - type: keyword - description: This key is the Unique Identifier for a rule. - - name: trigger_desc - overwrite: true - type: keyword - description: This key captures the Description of the trigger or threshold condition. - - name: inout - overwrite: true - type: keyword - - name: p_msgid - overwrite: true - type: keyword - - name: data_type - overwrite: true - type: keyword - - name: msgIdPart4 - overwrite: true - type: keyword - - name: error - overwrite: true - type: keyword - description: This key captures All non successful Error codes or responses - - name: index - overwrite: true - type: keyword - - name: listnum - overwrite: true - type: keyword - description: This key is used to capture listname or listnumber, primarily for - collecting access-list - - name: ntype - overwrite: true - type: keyword - - name: observed_val - overwrite: true - type: keyword - description: This key captures the Value observed (from the perspective of the - device generating the log). - - name: policy_value - overwrite: true - type: keyword - description: This key captures the contents of the policy. This contains details - about the policy - - name: pool_name - overwrite: true - type: keyword - description: This key captures the name of a resource pool - - name: rule_template - overwrite: true - type: keyword - description: A default set of parameters which are overlayed onto a rule (or - rulename) which efffectively constitutes a template - - name: count - overwrite: true - type: keyword - - name: number - overwrite: true - type: keyword - - name: sigcat - overwrite: true - type: keyword - - name: type - overwrite: true - type: keyword - - name: comments - overwrite: true - type: keyword - description: Comment information provided in the log message - - name: doc_number - overwrite: true - type: long - description: This key captures File Identification number - - name: expected_val - overwrite: true - type: keyword - description: This key captures the Value expected (from the perspective of the - device generating the log). - - name: job_num - overwrite: true - type: keyword - description: This key captures the Job Number - - name: spi_dst - overwrite: true - type: keyword - description: Destination SPI Index - - name: spi_src - overwrite: true - type: keyword - description: Source SPI Index - - name: code - overwrite: true - type: keyword - - name: agent_id - overwrite: true - type: keyword - description: This key is used to capture agent id - - name: message_body - overwrite: true - type: keyword - description: This key captures the The contents of the message body. - - name: phone - overwrite: true - type: keyword - - name: sig_id_str - overwrite: true - type: keyword - description: This key captures a string object of the sigid variable. - - name: cmd - overwrite: true - type: keyword - - name: misc - overwrite: true - type: keyword - - name: name - overwrite: true - type: keyword - - name: cpu - overwrite: true - type: long - description: This key is the CPU time used in the execution of the event being - recorded. - - name: event_desc - overwrite: true - type: keyword - description: This key is used to capture a description of an event available - directly or inferred - - name: sig_id1 - overwrite: true - type: long - description: This key captures IDS/IPS Int Signature ID. This must be linked - to the sig.id - - name: im_buddyid - overwrite: true - type: keyword - - name: im_client - overwrite: true - type: keyword - - name: im_userid - overwrite: true - type: keyword - - name: pid - overwrite: true - type: keyword - - name: priority - overwrite: true - type: keyword - - name: context_subject - overwrite: true - type: keyword - description: This key is to be used in an audit context where the subject is - the object being identified - - name: context_target - overwrite: true - type: keyword - - name: cve - overwrite: true - type: keyword - description: This key captures CVE (Common Vulnerabilities and Exposures) - - an identifier for known information security vulnerabilities. - - name: fcatnum - overwrite: true - type: keyword - description: This key captures Filter Category Number. Legacy Usage - - name: library - overwrite: true - type: keyword - description: This key is used to capture library information in mainframe devices - - name: parent_node - overwrite: true - type: keyword - description: This key captures the Parent Node Name. Must be related to node - variable. - - name: risk_info - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: tcp_flags - overwrite: true - type: long - description: This key is captures the TCP flags set in any packet of session - - name: tos - overwrite: true - type: long - description: This key describes the type of service - - name: vm_target - overwrite: true - type: keyword - description: VMWare Target **VMWARE** only varaible. - - name: workspace - overwrite: true - type: keyword - description: This key captures Workspace Description - - name: command - overwrite: true - type: keyword - - name: event_category - overwrite: true - type: keyword - - name: facilityname - overwrite: true - type: keyword - - name: forensic_info - overwrite: true - type: keyword - - name: jobname - overwrite: true - type: keyword - - name: mode - overwrite: true - type: keyword - - name: policy - overwrite: true - type: keyword - - name: policy_waiver - overwrite: true - type: keyword - - name: second - overwrite: true - type: keyword - - name: space1 - overwrite: true - type: keyword - - name: subcategory - overwrite: true - type: keyword - - name: tbdstr2 - overwrite: true - type: keyword - - name: alert_id - overwrite: true - type: keyword - description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: checksum_dst - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the the target - entity such as a process or file. - - name: checksum_src - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the source - entity such as a file or process. - - name: fresult - overwrite: true - type: long - description: This key captures the Filter Result - - name: payload_dst - overwrite: true - type: keyword - description: This key is used to capture destination payload - - name: payload_src - overwrite: true - type: keyword - description: This key is used to capture source payload - - name: pool_id - overwrite: true - type: keyword - description: This key captures the identifier (typically numeric field) of a - resource pool - - name: process_id_val - overwrite: true - type: keyword - description: This key is a failure key for Process ID when it is not an integer - value - - name: risk_num_comm - overwrite: true - type: double - description: This key captures Risk Number Community - - name: risk_num_next - overwrite: true - type: double - description: This key captures Risk Number NextGen - - name: risk_num_sand - overwrite: true - type: double - description: This key captures Risk Number SandBox - - name: risk_num_static - overwrite: true - type: double - description: This key captures Risk Number Static - - name: risk_suspicious - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: risk_warning - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: snmp_oid - overwrite: true - type: keyword - description: SNMP Object Identifier - - name: sql - overwrite: true - type: keyword - description: This key captures the SQL query - - name: vuln_ref - overwrite: true - type: keyword - description: This key captures the Vulnerability Reference details - - name: acl_id - overwrite: true - type: keyword - - name: acl_op - overwrite: true - type: keyword - - name: acl_pos - overwrite: true - type: keyword - - name: acl_table - overwrite: true - type: keyword - - name: admin - overwrite: true - type: keyword - - name: alarm_id - overwrite: true - type: keyword - - name: alarmname - overwrite: true - type: keyword - - name: app_id - overwrite: true - type: keyword - - name: audit - overwrite: true - type: keyword - - name: audit_object - overwrite: true - type: keyword - - name: auditdata - overwrite: true - type: keyword - - name: benchmark - overwrite: true - type: keyword - - name: bypass - overwrite: true - type: keyword - - name: cache - overwrite: true - type: keyword - - name: cache_hit - overwrite: true - type: keyword - - name: cefversion - overwrite: true - type: keyword - - name: cfg_attr - overwrite: true - type: keyword - - name: cfg_obj - overwrite: true - type: keyword - - name: cfg_path - overwrite: true - type: keyword - - name: changes - overwrite: true - type: keyword - - name: client_ip - overwrite: true - type: keyword - - name: clustermembers - overwrite: true - type: keyword - - name: cn_acttimeout - overwrite: true - type: keyword - - name: cn_asn_src - overwrite: true - type: keyword - - name: cn_bgpv4nxthop - overwrite: true - type: keyword - - name: cn_ctr_dst_code - overwrite: true - type: keyword - - name: cn_dst_tos - overwrite: true - type: keyword - - name: cn_dst_vlan - overwrite: true - type: keyword - - name: cn_engine_id - overwrite: true - type: keyword - - name: cn_engine_type - overwrite: true - type: keyword - - name: cn_f_switch - overwrite: true - type: keyword - - name: cn_flowsampid - overwrite: true - type: keyword - - name: cn_flowsampintv - overwrite: true - type: keyword - - name: cn_flowsampmode - overwrite: true - type: keyword - - name: cn_inacttimeout - overwrite: true - type: keyword - - name: cn_inpermbyts - overwrite: true - type: keyword - - name: cn_inpermpckts - overwrite: true - type: keyword - - name: cn_invalid - overwrite: true - type: keyword - - name: cn_ip_proto_ver - overwrite: true - type: keyword - - name: cn_ipv4_ident - overwrite: true - type: keyword - - name: cn_l_switch - overwrite: true - type: keyword - - name: cn_log_did - overwrite: true - type: keyword - - name: cn_log_rid - overwrite: true - type: keyword - - name: cn_max_ttl - overwrite: true - type: keyword - - name: cn_maxpcktlen - overwrite: true - type: keyword - - name: cn_min_ttl - overwrite: true - type: keyword - - name: cn_minpcktlen - overwrite: true - type: keyword - - name: cn_mpls_lbl_1 - overwrite: true - type: keyword - - name: cn_mpls_lbl_10 - overwrite: true - type: keyword - - name: cn_mpls_lbl_2 - overwrite: true - type: keyword - - name: cn_mpls_lbl_3 - overwrite: true - type: keyword - - name: cn_mpls_lbl_4 - overwrite: true - type: keyword - - name: cn_mpls_lbl_5 - overwrite: true - type: keyword - - name: cn_mpls_lbl_6 - overwrite: true - type: keyword - - name: cn_mpls_lbl_7 - overwrite: true - type: keyword - - name: cn_mpls_lbl_8 - overwrite: true - type: keyword - - name: cn_mpls_lbl_9 - overwrite: true - type: keyword - - name: cn_mplstoplabel - overwrite: true - type: keyword - - name: cn_mplstoplabip - overwrite: true - type: keyword - - name: cn_mul_dst_byt - overwrite: true - type: keyword - - name: cn_mul_dst_pks - overwrite: true - type: keyword - - name: cn_muligmptype - overwrite: true - type: keyword - - name: cn_sampalgo - overwrite: true - type: keyword - - name: cn_sampint - overwrite: true - type: keyword - - name: cn_seqctr - overwrite: true - type: keyword - - name: cn_spackets - overwrite: true - type: keyword - - name: cn_src_tos - overwrite: true - type: keyword - - name: cn_src_vlan - overwrite: true - type: keyword - - name: cn_sysuptime - overwrite: true - type: keyword - - name: cn_template_id - overwrite: true - type: keyword - - name: cn_totbytsexp - overwrite: true - type: keyword - - name: cn_totflowexp - overwrite: true - type: keyword - - name: cn_totpcktsexp - overwrite: true - type: keyword - - name: cn_unixnanosecs - overwrite: true - type: keyword - - name: cn_v6flowlabel - overwrite: true - type: keyword - - name: cn_v6optheaders - overwrite: true - type: keyword - - name: comp_class - overwrite: true - type: keyword - - name: comp_name - overwrite: true - type: keyword - - name: comp_rbytes - overwrite: true - type: keyword - - name: comp_sbytes - overwrite: true - type: keyword - - name: cpu_data - overwrite: true - type: keyword - - name: criticality - overwrite: true - type: keyword - - name: cs_agency_dst - overwrite: true - type: keyword - - name: cs_analyzedby - overwrite: true - type: keyword - - name: cs_av_other - overwrite: true - type: keyword - - name: cs_av_primary - overwrite: true - type: keyword - - name: cs_av_secondary - overwrite: true - type: keyword - - name: cs_bgpv6nxthop - overwrite: true - type: keyword - - name: cs_bit9status - overwrite: true - type: keyword - - name: cs_context - overwrite: true - type: keyword - - name: cs_control - overwrite: true - type: keyword - - name: cs_data - overwrite: true - type: keyword - - name: cs_datecret - overwrite: true - type: keyword - - name: cs_dst_tld - overwrite: true - type: keyword - - name: cs_eth_dst_ven - overwrite: true - type: keyword - - name: cs_eth_src_ven - overwrite: true - type: keyword - - name: cs_event_uuid - overwrite: true - type: keyword - - name: cs_filetype - overwrite: true - type: keyword - - name: cs_fld - overwrite: true - type: keyword - - name: cs_if_desc - overwrite: true - type: keyword - - name: cs_if_name - overwrite: true - type: keyword - - name: cs_ip_next_hop - overwrite: true - type: keyword - - name: cs_ipv4dstpre - overwrite: true - type: keyword - - name: cs_ipv4srcpre - overwrite: true - type: keyword - - name: cs_lifetime - overwrite: true - type: keyword - - name: cs_log_medium - overwrite: true - type: keyword - - name: cs_loginname - overwrite: true - type: keyword - - name: cs_modulescore - overwrite: true - type: keyword - - name: cs_modulesign - overwrite: true - type: keyword - - name: cs_opswatresult - overwrite: true - type: keyword - - name: cs_payload - overwrite: true - type: keyword - - name: cs_registrant - overwrite: true - type: keyword - - name: cs_registrar - overwrite: true - type: keyword - - name: cs_represult - overwrite: true - type: keyword - - name: cs_rpayload - overwrite: true - type: keyword - - name: cs_sampler_name - overwrite: true - type: keyword - - name: cs_sourcemodule - overwrite: true - type: keyword - - name: cs_streams - overwrite: true - type: keyword - - name: cs_targetmodule - overwrite: true - type: keyword - - name: cs_v6nxthop - overwrite: true - type: keyword - - name: cs_whois_server - overwrite: true - type: keyword - - name: cs_yararesult - overwrite: true - type: keyword - - name: description - overwrite: true - type: keyword - - name: devvendor - overwrite: true - type: keyword - - name: distance - overwrite: true - type: keyword - - name: dstburb - overwrite: true - type: keyword - - name: edomain - overwrite: true - type: keyword - - name: edomaub - overwrite: true - type: keyword - - name: euid - overwrite: true - type: keyword - - name: facility - overwrite: true - type: keyword - - name: finterface - overwrite: true - type: keyword - - name: flags - overwrite: true - type: keyword - - name: gaddr - overwrite: true - type: keyword - - name: id3 - overwrite: true - type: keyword - - name: im_buddyname - overwrite: true - type: keyword - - name: im_croomid - overwrite: true - type: keyword - - name: im_croomtype - overwrite: true - type: keyword - - name: im_members - overwrite: true - type: keyword - - name: im_username - overwrite: true - type: keyword - - name: ipkt - overwrite: true - type: keyword - - name: ipscat - overwrite: true - type: keyword - - name: ipspri - overwrite: true - type: keyword - - name: latitude - overwrite: true - type: keyword - - name: linenum - overwrite: true - type: keyword - - name: list_name - overwrite: true - type: keyword - - name: load_data - overwrite: true - type: keyword - - name: location_floor - overwrite: true - type: keyword - - name: location_mark - overwrite: true - type: keyword - - name: log_id - overwrite: true - type: keyword - - name: log_type - overwrite: true - type: keyword - - name: logid - overwrite: true - type: keyword - - name: logip - overwrite: true - type: keyword - - name: logname - overwrite: true - type: keyword - - name: longitude - overwrite: true - type: keyword - - name: lport - overwrite: true - type: keyword - - name: mbug_data - overwrite: true - type: keyword - - name: misc_name - overwrite: true - type: keyword - - name: msg_type - overwrite: true - type: keyword - - name: msgid - overwrite: true - type: keyword - - name: netsessid - overwrite: true - type: keyword - - name: num - overwrite: true - type: keyword - - name: number1 - overwrite: true - type: keyword - - name: number2 - overwrite: true - type: keyword - - name: nwwn - overwrite: true - type: keyword - - name: object - overwrite: true - type: keyword - - name: operation - overwrite: true - type: keyword - - name: opkt - overwrite: true - type: keyword - - name: orig_from - overwrite: true - type: keyword - - name: owner_id - overwrite: true - type: keyword - - name: p_action - overwrite: true - type: keyword - - name: p_filter - overwrite: true - type: keyword - - name: p_group_object - overwrite: true - type: keyword - - name: p_id - overwrite: true - type: keyword - - name: p_msgid1 - overwrite: true - type: keyword - - name: p_msgid2 - overwrite: true - type: keyword - - name: p_result1 - overwrite: true - type: keyword - - name: password_chg - overwrite: true - type: keyword - - name: password_expire - overwrite: true - type: keyword - - name: permgranted - overwrite: true - type: keyword - - name: permwanted - overwrite: true - type: keyword - - name: pgid - overwrite: true - type: keyword - - name: policyUUID - overwrite: true - type: keyword - - name: prog_asp_num - overwrite: true - type: keyword - - name: program - overwrite: true - type: keyword - - name: real_data - overwrite: true - type: keyword - - name: rec_asp_device - overwrite: true - type: keyword - - name: rec_asp_num - overwrite: true - type: keyword - - name: rec_library - overwrite: true - type: keyword - - name: recordnum - overwrite: true - type: keyword - - name: ruid - overwrite: true - type: keyword - - name: sburb - overwrite: true - type: keyword - - name: sdomain_fld - overwrite: true - type: keyword - - name: sec - overwrite: true - type: keyword - - name: sensorname - overwrite: true - type: keyword - - name: seqnum - overwrite: true - type: keyword - - name: session - overwrite: true - type: keyword - - name: sessiontype - overwrite: true - type: keyword - - name: sigUUID - overwrite: true - type: keyword - - name: spi - overwrite: true - type: keyword - - name: srcburb - overwrite: true - type: keyword - - name: srcdom - overwrite: true - type: keyword - - name: srcservice - overwrite: true - type: keyword - - name: state - overwrite: true - type: keyword - - name: status1 - overwrite: true - type: keyword - - name: svcno - overwrite: true - type: keyword - - name: system - overwrite: true - type: keyword - - name: tbdstr1 - overwrite: true - type: keyword - - name: tgtdom - overwrite: true - type: keyword - - name: tgtdomain - overwrite: true - type: keyword - - name: threshold - overwrite: true - type: keyword - - name: type1 - overwrite: true - type: keyword - - name: udb_class - overwrite: true - type: keyword - - name: url_fld - overwrite: true - type: keyword - - name: user_div - overwrite: true - type: keyword - - name: userid - overwrite: true - type: keyword - - name: username_fld - overwrite: true - type: keyword - - name: utcstamp - overwrite: true - type: keyword - - name: v_instafname - overwrite: true - type: keyword - - name: virt_data - overwrite: true - type: keyword - - name: vpnid - overwrite: true - type: keyword - - name: autorun_type - overwrite: true - type: keyword - description: This is used to capture Auto Run type - - name: cc_number - overwrite: true - type: long - description: Valid Credit Card Numbers only - - name: content - overwrite: true - type: keyword - description: This key captures the content type from protocol headers - - name: ein_number - overwrite: true - type: long - description: Employee Identification Numbers only - - name: found - overwrite: true - type: keyword - description: This is used to capture the results of regex match - - name: language - overwrite: true - type: keyword - description: This is used to capture list of languages the client support and - what it prefers - - name: lifetime - overwrite: true - type: long - description: This key is used to capture the session lifetime in seconds. - - name: link - overwrite: true - type: keyword - description: This key is used to link the sessions together. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: match - overwrite: true - type: keyword - description: This key is for regex match name from search.ini - - name: param_dst - overwrite: true - type: keyword - description: This key captures the command line/launch argument of the target - process or file - - name: param_src - overwrite: true - type: keyword - description: This key captures source parameter - - name: search_text - overwrite: true - type: keyword - description: This key captures the Search Text used - - name: sig_name - overwrite: true - type: keyword - description: This key is used to capture the Signature Name only. - - name: snmp_value - overwrite: true - type: keyword - description: SNMP set request value - - name: streams - overwrite: true - type: long - description: This key captures number of streams in session - - name: db - overwrite: true - type: group - fields: - - name: index - overwrite: true - type: keyword - description: This key captures IndexID of the index. - - name: instance - overwrite: true - type: keyword - description: This key is used to capture the database server instance name - - name: database - overwrite: true - type: keyword - description: This key is used to capture the name of a database or an instance - as seen in a session - - name: transact_id - overwrite: true - type: keyword - description: This key captures the SQL transantion ID of the current session - - name: permissions - overwrite: true - type: keyword - description: This key captures permission or privilege level assigned to a resource. - - name: table_name - overwrite: true - type: keyword - description: This key is used to capture the table name - - name: db_id - overwrite: true - type: keyword - description: This key is used to capture the unique identifier for a database - - name: db_pid - overwrite: true - type: long - description: This key captures the process id of a connection with database - server - - name: lread - overwrite: true - type: long - description: This key is used for the number of logical reads - - name: lwrite - overwrite: true - type: long - description: This key is used for the number of logical writes - - name: pread - overwrite: true - type: long - description: This key is used for the number of physical writes - - name: network - overwrite: true - type: group - fields: - - name: alias_host - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of a hostname is not clear.Also it captures the Device Hostname. Any Hostname - that isnt ad.computer. - - name: domain - overwrite: true - type: keyword - - name: host_dst - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Hostname" - - name: network_service - overwrite: true - type: keyword - description: This is used to capture layer 7 protocols/service names - - name: interface - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of an interface is not clear - - name: network_port - overwrite: true - type: long - description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently - used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - - name: eth_host - overwrite: true - type: keyword - description: Deprecated, use alias.mac - - name: sinterface - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Source Interface" - - name: dinterface - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Interface" - - name: vlan - overwrite: true - type: long - description: This key should only be used to capture the ID of the Virtual LAN - - name: zone_src - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Source Zone." - - name: zone - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of a Zone is not clear - - name: zone_dst - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Zone." - - name: gateway - overwrite: true - type: keyword - description: This key is used to capture the IP Address of the gateway - - name: icmp_type - overwrite: true - type: long - description: This key is used to capture the ICMP type only - - name: mask - overwrite: true - type: keyword - description: This key is used to capture the device network IPmask. - - name: icmp_code - overwrite: true - type: long - description: This key is used to capture the ICMP code only - - name: protocol_detail - overwrite: true - type: keyword - description: This key should be used to capture additional protocol information - - name: dmask - overwrite: true - type: keyword - description: This key is used for Destionation Device network mask - - name: port - overwrite: true - type: long - description: This key should only be used to capture a Network Port when the - directionality is not clear - - name: smask - overwrite: true - type: keyword - description: This key is used for capturing source Network Mask - - name: netname - overwrite: true - type: keyword - description: This key is used to capture the network name associated with an - IP range. This is configured by the end user. - - name: paddr - overwrite: true - type: ip - description: Deprecated - - name: faddr - overwrite: true - type: keyword - - name: lhost - overwrite: true - type: keyword - - name: origin - overwrite: true - type: keyword - - name: remote_domain_id - overwrite: true - type: keyword - - name: addr - overwrite: true - type: keyword - - name: dns_a_record - overwrite: true - type: keyword - - name: dns_ptr_record - overwrite: true - type: keyword - - name: fhost - overwrite: true - type: keyword - - name: fport - overwrite: true - type: keyword - - name: laddr - overwrite: true - type: keyword - - name: linterface - overwrite: true - type: keyword - - name: phost - overwrite: true - type: keyword - - name: ad_computer_dst - overwrite: true - type: keyword - description: Deprecated, use host.dst - - name: eth_type - overwrite: true - type: long - description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols - Only - - name: ip_proto - overwrite: true - type: long - description: This key should be used to capture the Protocol number, all the - protocol nubers are converted into string in UI - - name: dns_cname_record - overwrite: true - type: keyword - - name: dns_id - overwrite: true - type: keyword - - name: dns_opcode - overwrite: true - type: keyword - - name: dns_resp - overwrite: true - type: keyword - - name: dns_type - overwrite: true - type: keyword - - name: domain1 - overwrite: true - type: keyword - - name: host_type - overwrite: true - type: keyword - - name: packet_length - overwrite: true - type: keyword - - name: host_orig - overwrite: true - type: keyword - description: This is used to capture the original hostname in case of a Forwarding - Agent or a Proxy in between. - - name: rpayload - overwrite: true - type: keyword - description: This key is used to capture the total number of payload bytes seen - in the retransmitted packets. - - name: vlan_name - overwrite: true - type: keyword - description: This key should only be used to capture the name of the Virtual - LAN - - name: investigations - overwrite: true - type: group - fields: - - name: ec_activity - overwrite: true - type: keyword - description: This key captures the particular event activity(Ex:Logoff) - - name: ec_theme - overwrite: true - type: keyword - description: This key captures the Theme of a particular Event(Ex:Authentication) - - name: ec_subject - overwrite: true - type: keyword - description: This key captures the Subject of a particular Event(Ex:User) - - name: ec_outcome - overwrite: true - type: keyword - description: This key captures the outcome of a particular Event(Ex:Success) - - name: event_cat - overwrite: true - type: long - description: This key captures the Event category number - - name: event_cat_name - overwrite: true - type: keyword - description: This key captures the event category name corresponding to the - event cat code - - name: event_vcat - overwrite: true - type: keyword - description: This is a vendor supplied category. This should be used in situations - where the vendor has adopted their own event_category taxonomy. - - name: analysis_file - overwrite: true - type: keyword - description: This is used to capture all indicators used in a File Analysis. - This key should be used to capture an analysis of a file - - name: analysis_service - overwrite: true - type: keyword - description: This is used to capture all indicators used in a Service Analysis. - This key should be used to capture an analysis of a service - - name: analysis_session - overwrite: true - type: keyword - description: This is used to capture all indicators used for a Session Analysis. - This key should be used to capture an analysis of a session - - name: boc - overwrite: true - type: keyword - description: This is used to capture behaviour of compromise - - name: eoc - overwrite: true - type: keyword - description: This is used to capture Enablers of Compromise - - name: inv_category - overwrite: true - type: keyword - description: This used to capture investigation category - - name: inv_context - overwrite: true - type: keyword - description: This used to capture investigation context - - name: ioc - overwrite: true - type: keyword - description: This is key capture indicator of compromise - - name: counters - overwrite: true - type: group - fields: - - name: dclass_c1 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c1.str only - - name: dclass_c2 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c2.str only - - name: event_counter - overwrite: true - type: long - description: This is used to capture the number of times an event repeated - - name: dclass_r1 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r1.str only - - name: dclass_c3 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c3.str only - - name: dclass_c1_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c1 only - - name: dclass_c2_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c2 only - - name: dclass_r1_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r1 only - - name: dclass_r2 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r2.str only - - name: dclass_c3_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c3 only - - name: dclass_r3 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r3.str only - - name: dclass_r2_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r2 only - - name: dclass_r3_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r3 only - - name: identity - overwrite: true - type: group - fields: - - name: auth_method - overwrite: true - type: keyword - description: This key is used to capture authentication methods used only - - name: user_role - overwrite: true - type: keyword - description: This key is used to capture the Role of a user only - - name: dn - overwrite: true - type: keyword - description: X.500 (LDAP) Distinguished Name - - name: logon_type - overwrite: true - type: keyword - description: This key is used to capture the type of logon method used. - - name: profile - overwrite: true - type: keyword - description: This key is used to capture the user profile - - name: accesses - overwrite: true - type: keyword - description: This key is used to capture actual privileges used in accessing - an object - - name: realm - overwrite: true - type: keyword - description: Radius realm or similar grouping of accounts - - name: user_sid_dst - overwrite: true - type: keyword - description: This key captures Destination User Session ID - - name: dn_src - overwrite: true - type: keyword - description: An X.500 (LDAP) Distinguished name that is used in a context that - indicates a Source dn - - name: org - overwrite: true - type: keyword - description: This key captures the User organization - - name: dn_dst - overwrite: true - type: keyword - description: An X.500 (LDAP) Distinguished name that used in a context that - indicates a Destination dn - - name: firstname - overwrite: true - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly - to capture Patients information - - name: lastname - overwrite: true - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly - to capture Patients information - - name: user_dept - overwrite: true - type: keyword - description: User's Department Names only - - name: user_sid_src - overwrite: true - type: keyword - description: This key captures Source User Session ID - - name: federated_sp - overwrite: true - type: keyword - description: This key is the Federated Service Provider. This is the application - requesting authentication. - - name: federated_idp - overwrite: true - type: keyword - description: This key is the federated Identity Provider. This is the server - providing the authentication. - - name: logon_type_desc - overwrite: true - type: keyword - description: This key is used to capture the textual description of an integer - logon type as stored in the meta key 'logon.type'. - - name: middlename - overwrite: true - type: keyword - description: This key is for Middle Names only, this is used for Healthcare - predominantly to capture Patients information - - name: password - overwrite: true - type: keyword - description: This key is for Passwords seen in any session, plain text or encrypted - - name: host_role - overwrite: true - type: keyword - description: This key should only be used to capture the role of a Host Machine - - name: ldap - overwrite: true - type: keyword - description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ - t have a clear query or response context" - - name: ldap_query - overwrite: true - type: keyword - description: This key is the Search criteria from an LDAP search - - name: ldap_response - overwrite: true - type: keyword - description: This key is to capture Results from an LDAP search - - name: owner - overwrite: true - type: keyword - description: This is used to capture username the process or service is running - as, the author of the task - - name: service_account - overwrite: true - type: keyword - description: This key is a windows specific key, used for capturing name of - the account a service (referenced in the event) is running under. Legacy Usage - - name: email - overwrite: true - type: group - fields: - - name: email_dst - overwrite: true - type: keyword - description: This key is used to capture the Destination email address only, - when the destination context is not clear use email - - name: email_src - overwrite: true - type: keyword - description: This key is used to capture the source email address only, when - the source context is not clear use email - - name: subject - overwrite: true - type: keyword - description: This key is used to capture the subject string from an Email only. - - name: email - overwrite: true - type: keyword - description: This key is used to capture a generic email address where the source - or destination context is not clear - - name: trans_from - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: trans_to - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: file - overwrite: true - type: group - fields: - - name: privilege - overwrite: true - type: keyword - description: Deprecated, use permissions - - name: attachment - overwrite: true - type: keyword - description: This key captures the attachment file name - - name: filesystem - overwrite: true - type: keyword - - name: binary - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: filename_dst - overwrite: true - type: keyword - description: This is used to capture name of the file targeted by the action - - name: filename_src - overwrite: true - type: keyword - description: This is used to capture name of the parent filename, the file which - performed the action - - name: filename_tmp - overwrite: true - type: keyword - - name: directory_dst - overwrite: true - type: keyword - description: This key is used to capture the directory of the target process - or file - - name: directory_src - overwrite: true - type: keyword - description: This key is used to capture the directory of the source process - or file - - name: file_entropy - overwrite: true - type: double - description: This is used to capture entropy vale of a file - - name: file_vendor - overwrite: true - type: keyword - description: This is used to capture Company name of file located in version_info - - name: task_name - overwrite: true - type: keyword - description: This is used to capture name of the task - - name: web - overwrite: true - type: group - fields: - - name: fqdn - overwrite: true - type: keyword - description: Fully Qualified Domain Names - - name: web_cookie - overwrite: true - type: keyword - description: This key is used to capture the Web cookies specifically. - - name: alias_host - overwrite: true - type: keyword - - name: reputation_num - overwrite: true - type: double - description: Reputation Number of an entity. Typically used for Web Domains - - name: web_ref_domain - overwrite: true - type: keyword - description: Web referer's domain - - name: web_ref_query - overwrite: true - type: keyword - description: This key captures Web referer's query portion of the URL - - name: remote_domain - overwrite: true - type: keyword - - name: web_ref_page - overwrite: true - type: keyword - description: This key captures Web referer's page information - - name: web_ref_root - overwrite: true - type: keyword - description: Web referer's root URL path - - name: cn_asn_dst - overwrite: true - type: keyword - - name: cn_rpackets - overwrite: true - type: keyword - - name: urlpage - overwrite: true - type: keyword - - name: urlroot - overwrite: true - type: keyword - - name: p_url - overwrite: true - type: keyword - - name: p_user_agent - overwrite: true - type: keyword - - name: p_web_cookie - overwrite: true - type: keyword - - name: p_web_method - overwrite: true - type: keyword - - name: p_web_referer - overwrite: true - type: keyword - - name: web_extension_tmp - overwrite: true - type: keyword - - name: web_page - overwrite: true - type: keyword - - name: threat - overwrite: true - type: group - fields: - - name: threat_category - overwrite: true - type: keyword - description: This key captures Threat Name/Threat Category/Categorization of - alert - - name: threat_desc - overwrite: true - type: keyword - description: This key is used to capture the threat description from the session - directly or inferred - - name: alert - overwrite: true - type: keyword - description: This key is used to capture name of the alert - - name: threat_source - overwrite: true - type: keyword - description: This key is used to capture source of the threat - - name: crypto - overwrite: true - type: group - fields: - - name: crypto - overwrite: true - type: keyword - description: This key is used to capture the Encryption Type or Encryption Key - only - - name: cipher_src - overwrite: true - type: keyword - description: This key is for Source (Client) Cipher - - name: cert_subject - overwrite: true - type: keyword - description: This key is used to capture the Certificate organization only - - name: peer - overwrite: true - type: keyword - description: This key is for Encryption peer's IP Address - - name: cipher_size_src - overwrite: true - type: long - description: This key captures Source (Client) Cipher Size - - name: ike - overwrite: true - type: keyword - description: IKE negotiation phase. - - name: scheme - overwrite: true - type: keyword - description: This key captures the Encryption scheme used - - name: peer_id - overwrite: true - type: keyword - description: "This key is for Encryption peer\u2019s identity" - - name: sig_type - overwrite: true - type: keyword - description: This key captures the Signature Type - - name: cert_issuer - overwrite: true - type: keyword - - name: cert_host_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: cert_error - overwrite: true - type: keyword - description: This key captures the Certificate Error String - - name: cipher_dst - overwrite: true - type: keyword - description: This key is for Destination (Server) Cipher - - name: cipher_size_dst - overwrite: true - type: long - description: This key captures Destination (Server) Cipher Size - - name: ssl_ver_src - overwrite: true - type: keyword - description: Deprecated, use version - - name: d_certauth - overwrite: true - type: keyword - - name: s_certauth - overwrite: true - type: keyword - - name: ike_cookie1 - overwrite: true - type: keyword - description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - - name: ike_cookie2 - overwrite: true - type: keyword - description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - - name: cert_checksum - overwrite: true - type: keyword - - name: cert_host_cat - overwrite: true - type: keyword - description: This key is used for the hostname category value of a certificate - - name: cert_serial - overwrite: true - type: keyword - description: This key is used to capture the Certificate serial number only - - name: cert_status - overwrite: true - type: keyword - description: This key captures Certificate validation status - - name: ssl_ver_dst - overwrite: true - type: keyword - description: Deprecated, use version - - name: cert_keysize - overwrite: true - type: keyword - - name: cert_username - overwrite: true - type: keyword - - name: https_insact - overwrite: true - type: keyword - - name: https_valid - overwrite: true - type: keyword - - name: cert_ca - overwrite: true - type: keyword - description: This key is used to capture the Certificate signing authority only - - name: cert_common - overwrite: true - type: keyword - description: This key is used to capture the Certificate common name only - - name: wireless - overwrite: true - type: group - fields: - - name: wlan_ssid - overwrite: true - type: keyword - description: This key is used to capture the ssid of a Wireless Session - - name: access_point - overwrite: true - type: keyword - description: This key is used to capture the access point name. - - name: wlan_channel - overwrite: true - type: long - description: This is used to capture the channel names - - name: wlan_name - overwrite: true - type: keyword - description: This key captures either WLAN number/name - - name: storage - overwrite: true - type: group - fields: - - name: disk_volume - overwrite: true - type: keyword - description: A unique name assigned to logical units (volumes) within a physical - disk - - name: lun - overwrite: true - type: keyword - description: Logical Unit Number.This key is a very useful concept in Storage. - - name: pwwn - overwrite: true - type: keyword - description: This uniquely identifies a port on a HBA. - - name: physical - overwrite: true - type: group - fields: - - name: org_dst - overwrite: true - type: keyword - description: This is used to capture the destination organization based on the - GEOPIP Maxmind database. - - name: org_src - overwrite: true - type: keyword - description: This is used to capture the source organization based on the GEOPIP - Maxmind database. - - name: healthcare - overwrite: true - type: group - fields: - - name: patient_fname - overwrite: true - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly - to capture Patients information - - name: patient_id - overwrite: true - type: keyword - description: This key captures the unique ID for a patient - - name: patient_lname - overwrite: true - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly - to capture Patients information - - name: patient_mname - overwrite: true - type: keyword - description: This key is for Middle Names only, this is used for Healthcare - predominantly to capture Patients information - - name: endpoint - overwrite: true - type: group - fields: - - name: host_state - overwrite: true - type: keyword - description: This key is used to capture the current state of the machine, such - as blacklisted, infected, firewall - disabled and so on - - name: registry_key - overwrite: true - type: keyword - description: This key captures the path to the registry key - - name: registry_value - overwrite: true - type: keyword - description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/cyberark/corepas/config/input.yml b/x-pack/filebeat/module/cyberark/corepas/config/input.yml deleted file mode 100644 index 11724ce0b170..000000000000 --- a/x-pack/filebeat/module/cyberark/corepas/config/input.yml +++ /dev/null @@ -1,87 +0,0 @@ -{{ if eq .input "file" }} - -type: log -paths: - {{ range $i, $path := .paths }} -- {{$path}} - {{ end }} -exclude_files: [".gz$"] - -{{ else }} - -type: {{.input}} -host: "{{.syslog_host}}:{{.syslog_port}}" - -{{ end }} - -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} - -fields_under_root: true -fields: - observer: - vendor: "Cyberark" - product: "Core" - type: "Access" - -processors: -- script: - lang: javascript - params: - ecs: true - rsa: {{.rsa_fields}} - tz_offset: {{.tz_offset}} - keep_raw: {{.keep_raw_fields}} - debug: {{.debug}} - files: - - ${path.home}/module/cyberark/corepas/config/liblogparser.js - - ${path.home}/module/cyberark/corepas/config/pipeline.js -{{ if .community_id }} -- community_id: ~ -{{ end }} -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_fields: - target: '' - fields: - ecs.version: 1.11.0 diff --git a/x-pack/filebeat/module/cyberark/corepas/config/liblogparser.js b/x-pack/filebeat/module/cyberark/corepas/config/liblogparser.js deleted file mode 100644 index cec99a043e86..000000000000 --- a/x-pack/filebeat/module/cyberark/corepas/config/liblogparser.js +++ /dev/null @@ -1,2514 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -/* jshint -W014,-W016,-W097,-W116 */ - -var processor = require("processor"); -var console = require("console"); - -var FLAG_FIELD = "log.flags"; -var FIELDS_OBJECT = "nwparser"; -var FIELDS_PREFIX = FIELDS_OBJECT + "."; - -var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true -}; - -var saved_flags = null; -var debug; -var map_ecs; -var map_rsa; -var keep_raw; -var device; -var tz_offset; -var strip_priority; - -// Register params from configuration. -function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); -} - -function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } -} - -function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); -} - -function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); -} - -function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; -} - -function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; -} - -function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; -} - -var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); -})(); - -function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; -} - -function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } -} - -function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; -} - -function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; -} - -function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; -} - -function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; -} - -var start; - -function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); -} - -function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); -} - -function constant(value) { - return function (evt) { - return value; - }; -} - -function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; -} - -function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; -} - -// TODO: Implement -function DIRCHK(args) { - unimplemented("DIRCHK"); -} - -function strictToInt(str) { - return str * 1; -} - -function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; -} - -var quoteChars = "\"'`"; -function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; -} - -function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; -} - -function nop(evt) { -} - -function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); -} - -function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); -} - -function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; -} - -function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); -} - -function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; -} - -function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; -} - -function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; -} - -function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; -} - -function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; -} - -function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; -} - -// Make two-digit dates 00-69 interpreted as 2000-2069 -// and dates 70-99 translated to 1970-1999. -var twoDigitYearEpoch = 70; -var twoDigitYearCentury = 2000; - -// This is to accept dates up to 2 days in the future, only used when -// no year is specified in a date. 2 days should be enough to account for -// time differences between systems and different tz offsets. -var maxFutureDelta = 2*24*60*60*1000; - -// DateContainer stores date fields and then converts those fields into -// a Date. Necessary because building a Date using its set() methods gives -// different results depending on the order of components. -function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; -} - -DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } -} - -function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; -} - -function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; -} - -function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; -} - -var uA = 60 * 60 * 24; -var uD = 60 * 60 * 24; -var uF = 60 * 60; -var uG = 60 * 60 * 24 * 30; -var uH = 60 * 60; -var uI = 60 * 60; -var uJ = 60 * 60 * 24; -var uM = 60 * 60 * 24 * 30; -var uN = 60 * 60; -var uO = 1; -var uS = 1; -var uT = 60; -var uU = 60; -var uc = dc; - -function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; -} - -function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], -}; - -// var dC = undefined; -var dR = dateMonthName(true); -var dB = dateMonthName(false); -var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); -var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); -var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); -var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); -var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); -var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 -var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); -var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); -var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); -var dP = parseAMPM; // AM|PM -var dQ = parseAMPM; // A.M.|P.M -var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); -var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); -var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); -var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); -var dZ = parseHMS; -var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - -// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. -// Only works if this modifier appears after the hour has been read from logs -// which is always the case in the 300 devices. -function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; -} - -function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); -} - -function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; -} - -function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; -} - -function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; -} - -function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; -} - -function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; -} - -// Short month name (Jan..Dec). -function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; -} - -function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.error(fn.name + " failed for '" + value + "'"); - } - }; -} - -// The following regular expression for parsing URLs from: -// https://github.com/wizard04wsu/URI_Parsing -// -// The MIT License (MIT) -// -// Copyright (c) 2014 Andrew Harrison -// -// Permission is hereby granted, free of charge, to any person obtaining a copy of -// this software and associated documentation files (the "Software"), to deal in -// the Software without restriction, including without limitation the rights to -// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of -// the Software, and to permit persons to whom the Software is furnished to do so, -// subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included in all -// copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS -// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR -// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER -// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN -// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - -var uriScheme = 1; -var uriDomain = 5; -var uriPort = 6; -var uriPath = 7; -var uriPathAlt = 9; -var uriQuery = 11; - -function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); -} - -function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; -} - -function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; -} - -var extFromPage = /\.[^.]+$/; -function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } -} - -function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); -} - -function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); -} - -var pageFromPathRegExp = /\/([^\/]+)$/; -var pageName = 1; - -function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; -} - -function page(dst, src) { - return url_wrapper(dst, src, extract_page); -} - -function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; -} - -function path(dst, src) { - return url_wrapper(dst, src, extract_path); -} - -// Map common schemes to their default port. -// port has to be a string (will be converted at a later stage). -var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", -}; - -function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } -} - -function port(dst, src) { - return url_wrapper(dst, src, extract_port); -} - -function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; -} - -function query(dst, src) { - return url_wrapper(dst, src, extract_query); -} - -function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } -} - -function root(dst, src) { - return url_wrapper(dst, src, extract_root); -} - -function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^*([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + '*(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } -} - -var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "log.original", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, -}; - -var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, -}; - -function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } -} - -// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. -var maxSafeInt = Math.pow(2, 53) - 1; -var minSafeInt = -maxSafeInt; - -function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; -} - -function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); -} - -var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; -var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - -function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; -} - -function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; -} - -function to_double(value) { - return parseFloat(value); -} - -function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; -} - -function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; -} - -function fld_set(dst, value) { - dst[this.field] = { v: value }; -} - -function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } -} - -function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } -} - -var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true -}; - -function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } -} - -function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } -} - -function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); -} - -var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, -]; - -function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup1, - dup2, -])); - -var dup153 = tagval("MESSAGE#2:2:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup4, - dup2, - dup3, -])); - -var dup154 = match("MESSAGE#3:2", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup4, - dup2, -])); - -var dup155 = tagval("MESSAGE#6:4:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup5, - dup6, - dup7, - dup8, - dup9, - dup2, - dup3, -])); - -var dup156 = match("MESSAGE#7:4", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup5, - dup6, - dup7, - dup8, - dup9, - dup2, -])); - -var dup157 = tagval("MESSAGE#20:13:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup15, - dup16, - dup17, - dup9, - dup2, - dup3, -])); - -var dup158 = match("MESSAGE#21:13", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup15, - dup16, - dup17, - dup9, - dup2, -])); - -var dup159 = tagval("MESSAGE#26:16:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup19, - dup2, - dup3, -])); - -var dup160 = match("MESSAGE#27:16", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup19, - dup2, -])); - -var dup161 = tagval("MESSAGE#30:18:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup15, - dup2, - dup3, -])); - -var dup162 = match("MESSAGE#31:18", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup15, - dup2, -])); - -var dup163 = tagval("MESSAGE#38:22:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup21, - dup2, - dup3, -])); - -var dup164 = match("MESSAGE#39:22", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup21, - dup2, -])); - -var dup165 = tagval("MESSAGE#70:38:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup23, - dup2, - dup3, -])); - -var dup166 = match("MESSAGE#71:38", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup23, - dup2, -])); - -var dup167 = tagval("MESSAGE#116:61:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup20, - dup2, - dup3, -])); - -var dup168 = match("MESSAGE#117:61", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup20, - dup2, -])); - -var dup169 = tagval("MESSAGE#126:66:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup26, - dup2, - dup3, -])); - -var dup170 = match("MESSAGE#127:66", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup26, - dup2, -])); - -var dup171 = tagval("MESSAGE#190:98:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup26, - dup2, - dup3, - dup24, - dup25, -])); - -var dup172 = linear_select([ - dup32, - dup33, -]); - -var dup173 = linear_select([ - dup34, - dup35, -]); - -var dup174 = linear_select([ - dup36, - dup37, -]); - -var dup175 = linear_select([ - dup38, - dup39, -]); - -var dup176 = linear_select([ - dup40, - dup41, -]); - -var dup177 = linear_select([ - dup42, - dup43, -]); - -var dup178 = linear_select([ - dup44, - dup45, -]); - -var dup179 = linear_select([ - dup46, - dup47, -]); - -var dup180 = linear_select([ - dup48, - dup49, -]); - -var dup181 = linear_select([ - dup50, - dup51, -]); - -var dup182 = linear_select([ - dup52, - dup53, -]); - -var dup183 = linear_select([ - dup54, - dup55, -]); - -var dup184 = linear_select([ - dup56, - dup57, -]); - -var dup185 = linear_select([ - dup58, - dup59, -]); - -var dup186 = linear_select([ - dup60, - dup61, -]); - -var dup187 = linear_select([ - dup62, - dup63, -]); - -var dup188 = linear_select([ - dup64, - dup65, -]); - -var dup189 = linear_select([ - dup66, - dup67, -]); - -var dup190 = linear_select([ - dup68, - dup69, -]); - -var dup191 = linear_select([ - dup70, - dup71, -]); - -var dup192 = linear_select([ - dup72, - dup73, -]); - -var dup193 = linear_select([ - dup74, - dup75, -]); - -var dup194 = linear_select([ - dup76, - dup77, -]); - -var dup195 = tagval("MESSAGE#591:317:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup79, - dup80, - dup81, - dup2, - dup3, -])); - -var dup196 = match("MESSAGE#592:317", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup79, - dup80, - dup81, - dup2, -])); - -var dup197 = tagval("MESSAGE#595:355:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup82, - dup2, - dup3, -])); - -var dup198 = match("MESSAGE#596:355", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup82, - dup2, -])); - -var dup199 = tagval("MESSAGE#599:357:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup83, - dup2, - dup3, -])); - -var dup200 = match("MESSAGE#600:357", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup83, - dup2, -])); - -var dup201 = match("MESSAGE#617:372", "nwparser.payload", "Version=%{version};Message=%{action};Issuer=%{username};Station=%{hostip};File=%{filename};Safe=%{group_object};Location=%{directory};Category=%{category};RequestId=%{id1};Reason=%{event_description};Severity=%{severity};GatewayStation=%{saddr};TicketID=%{operation_id};PolicyID=%{policyname};UserName=%{c_username};LogonDomain=%{domain};Address=%{dhost};CPMStatus=%{disposition};Port=\"%{dport}\";Database=%{db_name};DeviceType=%{obj_type};ExtraDetails=%{info};", processor_chain([ - dup4, - dup2, - dup3, -])); - -var dup202 = linear_select([ - dup85, - dup86, -]); - -var dup203 = linear_select([ - dup88, - dup89, -]); - -var dup204 = linear_select([ - dup91, - dup92, -]); - -var dup205 = linear_select([ - dup94, - dup95, -]); - -var dup206 = linear_select([ - dup97, - dup98, -]); - -var dup207 = linear_select([ - dup100, - dup101, -]); - -var dup208 = linear_select([ - dup103, - dup104, -]); - -var dup209 = linear_select([ - dup106, - dup107, -]); - -var dup210 = linear_select([ - dup109, - dup110, -]); - -var dup211 = linear_select([ - dup112, - dup113, -]); - -var dup212 = linear_select([ - dup115, - dup116, - dup117, - dup118, -]); - -var dup213 = linear_select([ - dup120, - dup121, -]); - -var dup214 = linear_select([ - dup123, - dup124, -]); - -var dup215 = linear_select([ - dup126, - dup127, -]); - -var dup216 = linear_select([ - dup129, - dup130, -]); - -var dup217 = linear_select([ - dup132, - dup133, -]); - -var dup218 = linear_select([ - dup135, - dup136, -]); - -var dup219 = linear_select([ - dup138, - dup139, -]); - -var dup220 = linear_select([ - dup141, - dup142, -]); - -var dup221 = linear_select([ - dup144, - dup145, -]); - -var dup222 = linear_select([ - dup147, - dup148, -]); - -var hdr1 = match("HEADER#0:0001", "message", "%{hmonth->} %{hday->} %{htime->} %{hproduct->} ProductName=\"%{hdevice}\",ProductAccount=\"%{hfld1}\",ProductProcess=\"%{process}\",EventId=\"%{messageid}\", %{p0}", processor_chain([ - setc("header_id","0001"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hdevice"), - constant("\",ProductAccount=\""), - field("hfld1"), - constant("\",ProductProcess=\""), - field("process"), - constant("\",EventId=\""), - field("messageid"), - constant("\", "), - field("p0"), - ], - }), -])); - -var hdr2 = match("HEADER#1:0005", "message", "%{hfld1->} %{hdatetime->} %{hproduct->} ProductName=\"%{hdevice}\",ProductAccount=\"%{hfld4}\",ProductProcess=\"%{process}\",EventId=\"%{messageid}\", %{p0}", processor_chain([ - setc("header_id","0005"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hdevice"), - constant("\",ProductAccount=\""), - field("hfld4"), - constant("\",ProductProcess=\""), - field("process"), - constant("\",EventId=\""), - field("messageid"), - constant("\", "), - field("p0"), - ], - }), -])); - -var hdr3 = match("HEADER#2:0002", "message", "%{hmonth->} %{hday->} %{htime->} %{hproduct->} %CYBERARK: MessageID=\"%{messageid}\";%{payload}", processor_chain([ - setc("header_id","0002"), -])); - -var hdr4 = match("HEADER#3:0003", "message", "%{hfld1->} %{hdatetime->} %{hostname->} %CYBERARK: MessageID=\"%{messageid}\";%{payload}", processor_chain([ - setc("header_id","0003"), -])); - -var hdr5 = match("HEADER#4:0004", "message", "%CYBERARK: MessageID=\"%{messageid}\";%{payload}", processor_chain([ - setc("header_id","0004"), -])); - -var hdr6 = match("HEADER#5:0006", "message", "%{hdatetime->} %{hostname->} %CYBERARK: MessageID=\"%{messageid}\";%{payload}", processor_chain([ - setc("header_id","0006"), -])); - -var select1 = linear_select([ - hdr1, - hdr2, - hdr3, - hdr4, - hdr5, - hdr6, -]); - -var msg1 = msg("1:01", dup151); - -var msg2 = msg("1", dup152); - -var select2 = linear_select([ - msg1, - msg2, -]); - -var msg3 = msg("2:01", dup153); - -var msg4 = msg("2", dup154); - -var select3 = linear_select([ - msg3, - msg4, -]); - -var msg5 = msg("3:01", dup151); - -var msg6 = msg("3", dup152); - -var select4 = linear_select([ - msg5, - msg6, -]); - -var msg7 = msg("4:01", dup155); - -var msg8 = msg("4", dup156); - -var select5 = linear_select([ - msg7, - msg8, -]); - -var part1 = tagval("MESSAGE#8:7:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup10, - dup6, - dup7, - dup8, - dup11, - dup2, - dup3, -])); - -var msg9 = msg("7:01", part1); - -var part2 = match("MESSAGE#9:7", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup10, - dup6, - dup7, - dup8, - dup11, - dup2, -])); - -var msg10 = msg("7", part2); - -var select6 = linear_select([ - msg9, - msg10, -]); - -var part3 = tagval("MESSAGE#10:8:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup12, - dup6, - dup13, - dup8, - dup11, - dup2, - dup3, -])); - -var msg11 = msg("8:01", part3); - -var part4 = match("MESSAGE#11:8", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup12, - dup6, - dup13, - dup8, - dup11, - dup2, -])); - -var msg12 = msg("8", part4); - -var select7 = linear_select([ - msg11, - msg12, -]); - -var part5 = tagval("MESSAGE#12:9:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup1, - dup14, - dup9, - dup2, - dup3, -])); - -var msg13 = msg("9:01", part5); - -var part6 = match("MESSAGE#13:9", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup1, - dup14, - dup9, - dup2, -])); - -var msg14 = msg("9", part6); - -var select8 = linear_select([ - msg13, - msg14, -]); - -var msg15 = msg("10:01", dup151); - -var msg16 = msg("10", dup152); - -var select9 = linear_select([ - msg15, - msg16, -]); - -var msg17 = msg("11:01", dup151); - -var msg18 = msg("11", dup152); - -var select10 = linear_select([ - msg17, - msg18, -]); - -var msg19 = msg("12:01", dup151); - -var msg20 = msg("12", dup152); - -var select11 = linear_select([ - msg19, - msg20, -]); - -var msg21 = msg("13:01", dup157); - -var msg22 = msg("13", dup158); - -var select12 = linear_select([ - msg21, - msg22, -]); - -var msg23 = msg("14:01", dup157); - -var msg24 = msg("14", dup158); - -var select13 = linear_select([ - msg23, - msg24, -]); - -var part7 = tagval("MESSAGE#24:15:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup15, - dup18, - dup9, - dup2, - dup3, -])); - -var msg25 = msg("15:01", part7); - -var part8 = match("MESSAGE#25:15", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup15, - dup18, - dup9, - dup2, -])); - -var msg26 = msg("15", part8); - -var select14 = linear_select([ - msg25, - msg26, -]); - -var msg27 = msg("16:01", dup159); - -var msg28 = msg("16", dup160); - -var select15 = linear_select([ - msg27, - msg28, -]); - -var msg29 = msg("17:01", dup151); - -var msg30 = msg("17", dup152); - -var select16 = linear_select([ - msg29, - msg30, -]); - -var msg31 = msg("18:01", dup161); - -var msg32 = msg("18", dup162); - -var select17 = linear_select([ - msg31, - msg32, -]); - -var part9 = tagval("MESSAGE#32:19:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup20, - dup16, - dup11, - dup2, - dup3, -])); - -var msg33 = msg("19:01", part9); - -var part10 = match("MESSAGE#33:19", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup20, - dup16, - dup11, - dup2, -])); - -var msg34 = msg("19", part10); - -var select18 = linear_select([ - msg33, - msg34, -]); - -var part11 = tagval("MESSAGE#34:20:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup19, - dup16, - dup2, - dup3, -])); - -var msg35 = msg("20:01", part11); - -var part12 = match("MESSAGE#35:20", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup19, - dup16, - dup2, -])); - -var msg36 = msg("20", part12); - -var select19 = linear_select([ - msg35, - msg36, -]); - -var part13 = tagval("MESSAGE#36:21:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup15, - dup16, - dup9, - dup2, - dup3, -])); - -var msg37 = msg("21:01", part13); - -var part14 = match("MESSAGE#37:21", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup15, - dup16, - dup9, - dup2, -])); - -var msg38 = msg("21", part14); - -var select20 = linear_select([ - msg37, - msg38, -]); - -var msg39 = msg("22:01", dup163); - -var msg40 = msg("22", dup164); - -var select21 = linear_select([ - msg39, - msg40, -]); - -var part15 = tagval("MESSAGE#40:23:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup22, - dup2, - dup3, -])); - -var msg41 = msg("23:01", part15); - -var part16 = match("MESSAGE#41:23", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup22, - dup2, -])); - -var msg42 = msg("23", part16); - -var select22 = linear_select([ - msg41, - msg42, -]); - -var msg43 = msg("24:01", dup163); - -var msg44 = msg("24", dup164); - -var select23 = linear_select([ - msg43, - msg44, -]); - -var msg45 = msg("25:01", dup151); - -var msg46 = msg("25", dup152); - -var select24 = linear_select([ - msg45, - msg46, -]); - -var msg47 = msg("26:01", dup151); - -var msg48 = msg("26", dup152); - -var select25 = linear_select([ - msg47, - msg48, -]); - -var msg49 = msg("27:01", dup151); - -var msg50 = msg("27", dup152); - -var select26 = linear_select([ - msg49, - msg50, -]); - -var msg51 = msg("28:01", dup163); - -var msg52 = msg("28", dup164); - -var select27 = linear_select([ - msg51, - msg52, -]); - -var msg53 = msg("29:01", dup151); - -var msg54 = msg("29", dup152); - -var select28 = linear_select([ - msg53, - msg54, -]); - -var msg55 = msg("30:01", dup151); - -var msg56 = msg("30", dup152); - -var select29 = linear_select([ - msg55, - msg56, -]); - -var msg57 = msg("31:01", dup163); - -var msg58 = msg("31", dup164); - -var select30 = linear_select([ - msg57, - msg58, -]); - -var msg59 = msg("32:01", dup163); - -var msg60 = msg("32", dup164); - -var select31 = linear_select([ - msg59, - msg60, -]); - -var msg61 = msg("33:01", dup163); - -var msg62 = msg("33", dup164); - -var select32 = linear_select([ - msg61, - msg62, -]); - -var msg63 = msg("34:01", dup151); - -var msg64 = msg("34", dup152); - -var select33 = linear_select([ - msg63, - msg64, -]); - -var msg65 = msg("35:01", dup151); - -var msg66 = msg("35", dup152); - -var select34 = linear_select([ - msg65, - msg66, -]); - -var msg67 = msg("36:01", dup163); - -var msg68 = msg("36", dup164); - -var select35 = linear_select([ - msg67, - msg68, -]); - -var msg69 = msg("37:01", dup163); - -var msg70 = msg("37", dup164); - -var select36 = linear_select([ - msg69, - msg70, -]); - -var msg71 = msg("38:01", dup165); - -var msg72 = msg("38", dup166); - -var select37 = linear_select([ - msg71, - msg72, -]); - -var msg73 = msg("39:01", dup163); - -var msg74 = msg("39", dup164); - -var select38 = linear_select([ - msg73, - msg74, -]); - -var msg75 = msg("40:01", dup151); - -var msg76 = msg("40", dup152); - -var select39 = linear_select([ - msg75, - msg76, -]); - -var msg77 = msg("41:01", dup151); - -var msg78 = msg("41", dup152); - -var select40 = linear_select([ - msg77, - msg78, -]); - -var msg79 = msg("42:01", dup151); - -var msg80 = msg("42", dup152); - -var select41 = linear_select([ - msg79, - msg80, -]); - -var msg81 = msg("43:01", dup151); - -var msg82 = msg("43", dup152); - -var select42 = linear_select([ - msg81, - msg82, -]); - -var msg83 = msg("44:01", dup151); - -var msg84 = msg("44", dup152); - -var select43 = linear_select([ - msg83, - msg84, -]); - -var msg85 = msg("45:01", dup151); - -var msg86 = msg("45", dup152); - -var select44 = linear_select([ - msg85, - msg86, -]); - -var msg87 = msg("46:01", dup151); - -var msg88 = msg("46", dup152); - -var select45 = linear_select([ - msg87, - msg88, -]); - -var msg89 = msg("47:01", dup151); - -var msg90 = msg("47", dup152); - -var select46 = linear_select([ - msg89, - msg90, -]); - -var msg91 = msg("48:01", dup151); - -var msg92 = msg("48", dup152); - -var select47 = linear_select([ - msg91, - msg92, -]); - -var msg93 = msg("49:01", dup151); - -var msg94 = msg("49", dup152); - -var select48 = linear_select([ - msg93, - msg94, -]); - -var part17 = tagval("MESSAGE#94:50:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup21, - dup2, - dup3, - dup24, - dup25, -])); - -var msg95 = msg("50:01", part17); - -var msg96 = msg("50", dup164); - -var select49 = linear_select([ - msg95, - msg96, -]); - -var msg97 = msg("51:01", dup163); - -var msg98 = msg("51", dup164); - -var select50 = linear_select([ - msg97, - msg98, -]); - -var msg99 = msg("52:01", dup163); - -var msg100 = msg("52", dup164); - -var select51 = linear_select([ - msg99, - msg100, -]); - -var msg101 = msg("53:01", dup151); - -var msg102 = msg("53", dup152); - -var select52 = linear_select([ - msg101, - msg102, -]); - -var msg103 = msg("54:01", dup151); - -var msg104 = msg("54", dup152); - -var select53 = linear_select([ - msg103, - msg104, -]); - -var msg105 = msg("55:01", dup151); - -var msg106 = msg("55", dup152); - -var select54 = linear_select([ - msg105, - msg106, -]); - -var msg107 = msg("56:01", dup151); - -var msg108 = msg("56", dup152); - -var select55 = linear_select([ - msg107, - msg108, -]); - -var msg109 = msg("57:01", dup165); - -var msg110 = msg("57", dup166); - -var select56 = linear_select([ - msg109, - msg110, -]); - -var msg111 = msg("58:01", dup163); - -var msg112 = msg("58", dup164); - -var select57 = linear_select([ - msg111, - msg112, -]); - -var msg113 = msg("59:01", dup163); - -var msg114 = msg("59", dup164); - -var select58 = linear_select([ - msg113, - msg114, -]); - -var msg115 = msg("60:01", dup165); - -var msg116 = msg("60", dup166); - -var select59 = linear_select([ - msg115, - msg116, -]); - -var msg117 = msg("61:01", dup167); - -var msg118 = msg("61", dup168); - -var select60 = linear_select([ - msg117, - msg118, -]); - -var msg119 = msg("62:01", dup163); - -var msg120 = msg("62", dup164); - -var select61 = linear_select([ - msg119, - msg120, -]); - -var msg121 = msg("63:01", dup151); - -var msg122 = msg("63", dup152); - -var select62 = linear_select([ - msg121, - msg122, -]); - -var msg123 = msg("64:01", dup167); - -var msg124 = msg("64", dup168); - -var select63 = linear_select([ - msg123, - msg124, -]); - -var msg125 = msg("65:01", dup151); - -var msg126 = msg("65", dup152); - -var select64 = linear_select([ - msg125, - msg126, -]); - -var msg127 = msg("66:01", dup169); - -var msg128 = msg("66", dup170); - -var select65 = linear_select([ - msg127, - msg128, -]); - -var msg129 = msg("67:01", dup169); - -var msg130 = msg("67", dup170); - -var select66 = linear_select([ - msg129, - msg130, -]); - -var msg131 = msg("68:01", dup169); - -var msg132 = msg("68", dup170); - -var select67 = linear_select([ - msg131, - msg132, -]); - -var msg133 = msg("69:01", dup169); - -var msg134 = msg("69", dup170); - -var select68 = linear_select([ - msg133, - msg134, -]); - -var msg135 = msg("70:01", dup151); - -var msg136 = msg("70", dup152); - -var select69 = linear_select([ - msg135, - msg136, -]); - -var msg137 = msg("71:01", dup169); - -var msg138 = msg("71", dup170); - -var select70 = linear_select([ - msg137, - msg138, -]); - -var msg139 = msg("72:01", dup151); - -var msg140 = msg("72", dup152); - -var select71 = linear_select([ - msg139, - msg140, -]); - -var msg141 = msg("73:01", dup169); - -var msg142 = msg("73", dup170); - -var select72 = linear_select([ - msg141, - msg142, -]); - -var msg143 = msg("74:01", dup151); - -var msg144 = msg("74", dup152); - -var select73 = linear_select([ - msg143, - msg144, -]); - -var msg145 = msg("75:01", dup169); - -var msg146 = msg("75", dup170); - -var select74 = linear_select([ - msg145, - msg146, -]); - -var msg147 = msg("76:01", dup151); - -var msg148 = msg("76", dup152); - -var select75 = linear_select([ - msg147, - msg148, -]); - -var msg149 = msg("77:01", dup151); - -var msg150 = msg("77", dup152); - -var select76 = linear_select([ - msg149, - msg150, -]); - -var msg151 = msg("78:01", dup151); - -var msg152 = msg("78", dup152); - -var select77 = linear_select([ - msg151, - msg152, -]); - -var msg153 = msg("79:01", dup169); - -var msg154 = msg("79", dup170); - -var select78 = linear_select([ - msg153, - msg154, -]); - -var msg155 = msg("80:01", dup169); - -var msg156 = msg("80", dup170); - -var select79 = linear_select([ - msg155, - msg156, -]); - -var msg157 = msg("81:01", dup167); - -var msg158 = msg("81", dup168); - -var select80 = linear_select([ - msg157, - msg158, -]); - -var msg159 = msg("82:01", dup151); - -var msg160 = msg("82", dup152); - -var select81 = linear_select([ - msg159, - msg160, -]); - -var msg161 = msg("83:01", dup169); - -var msg162 = msg("83", dup170); - -var select82 = linear_select([ - msg161, - msg162, -]); - -var msg163 = msg("84:01", dup169); - -var msg164 = msg("84", dup170); - -var select83 = linear_select([ - msg163, - msg164, -]); - -var msg165 = msg("85:01", dup151); - -var msg166 = msg("85", dup152); - -var select84 = linear_select([ - msg165, - msg166, -]); - -var msg167 = msg("86:01", dup159); - -var msg168 = msg("86", dup160); - -var select85 = linear_select([ - msg167, - msg168, -]); - -var msg169 = msg("87:01", dup151); - -var msg170 = msg("87", dup152); - -var select86 = linear_select([ - msg169, - msg170, -]); - -var msg171 = msg("88:01", dup169); - -var msg172 = msg("88", dup170); - -var select87 = linear_select([ - msg171, - msg172, -]); - -var msg173 = msg("89:01", dup151); - -var msg174 = msg("89", dup152); - -var select88 = linear_select([ - msg173, - msg174, -]); - -var msg175 = msg("90:01", dup151); - -var msg176 = msg("90", dup152); - -var select89 = linear_select([ - msg175, - msg176, -]); - -var msg177 = msg("91:01", dup151); - -var msg178 = msg("91", dup152); - -var select90 = linear_select([ - msg177, - msg178, -]); - -var msg179 = msg("92:01", dup151); - -var msg180 = msg("92", dup152); - -var select91 = linear_select([ - msg179, - msg180, -]); - -var msg181 = msg("93:01", dup151); - -var msg182 = msg("93", dup152); - -var select92 = linear_select([ - msg181, - msg182, -]); - -var msg183 = msg("94:01", dup169); - -var msg184 = msg("94", dup170); - -var select93 = linear_select([ - msg183, - msg184, -]); - -var msg185 = msg("95:01", dup169); - -var msg186 = msg("95", dup170); - -var select94 = linear_select([ - msg185, - msg186, -]); - -var msg187 = msg("96:01", dup151); - -var msg188 = msg("96", dup152); - -var select95 = linear_select([ - msg187, - msg188, -]); - -var msg189 = msg("97:01", dup151); - -var msg190 = msg("97", dup152); - -var select96 = linear_select([ - msg189, - msg190, -]); - -var msg191 = msg("98:01", dup171); - -var msg192 = msg("98", dup170); - -var select97 = linear_select([ - msg191, - msg192, -]); - -var msg193 = msg("99:01", dup171); - -var msg194 = msg("99", dup170); - -var select98 = linear_select([ - msg193, - msg194, -]); - -var msg195 = msg("100:01", dup151); - -var msg196 = msg("100", dup152); - -var select99 = linear_select([ - msg195, - msg196, -]); - -var msg197 = msg("101:01", dup151); - -var msg198 = msg("101", dup152); - -var select100 = linear_select([ - msg197, - msg198, -]); - -var msg199 = msg("102:01", dup155); - -var msg200 = msg("102", dup156); - -var select101 = linear_select([ - msg199, - msg200, -]); - -var part18 = tagval("MESSAGE#200:103:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup27, - dup6, - dup7, - dup8, - dup28, - dup2, - dup3, -])); - -var msg201 = msg("103:01", part18); - -var part19 = match("MESSAGE#201:103", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup27, - dup6, - dup7, - dup8, - dup28, - dup2, -])); - -var msg202 = msg("103", part19); - -var select102 = linear_select([ - msg201, - msg202, -]); - -var part20 = tagval("MESSAGE#202:104:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup27, - dup6, - dup29, - dup2, - dup3, -])); - -var msg203 = msg("104:01", part20); - -var part21 = match("MESSAGE#203:104", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup27, - dup6, - dup29, - dup2, -])); - -var msg204 = msg("104", part21); - -var select103 = linear_select([ - msg203, - msg204, -]); - -var msg205 = msg("105:01", dup169); - -var msg206 = msg("105", dup170); - -var select104 = linear_select([ - msg205, - msg206, -]); - -var msg207 = msg("106:01", dup169); - -var msg208 = msg("106", dup170); - -var select105 = linear_select([ - msg207, - msg208, -]); - -var msg209 = msg("107:01", dup169); - -var msg210 = msg("107", dup170); - -var select106 = linear_select([ - msg209, - msg210, -]); - -var msg211 = msg("108:01", dup169); - -var msg212 = msg("108", dup170); - -var select107 = linear_select([ - msg211, - msg212, -]); - -var msg213 = msg("109:01", dup169); - -var msg214 = msg("109", dup170); - -var select108 = linear_select([ - msg213, - msg214, -]); - -var msg215 = msg("110:01", dup151); - -var msg216 = msg("110", dup152); - -var select109 = linear_select([ - msg215, - msg216, -]); - -var msg217 = msg("111:01", dup169); - -var msg218 = msg("111", dup170); - -var select110 = linear_select([ - msg217, - msg218, -]); - -var msg219 = msg("112:01", dup169); - -var msg220 = msg("112", dup170); - -var select111 = linear_select([ - msg219, - msg220, -]); - -var msg221 = msg("114:01", dup169); - -var msg222 = msg("114", dup170); - -var select112 = linear_select([ - msg221, - msg222, -]); - -var msg223 = msg("115:01", dup169); - -var msg224 = msg("115", dup170); - -var select113 = linear_select([ - msg223, - msg224, -]); - -var msg225 = msg("116:01", dup151); - -var msg226 = msg("116", dup152); - -var select114 = linear_select([ - msg225, - msg226, -]); - -var msg227 = msg("117:01", dup151); - -var msg228 = msg("117", dup152); - -var select115 = linear_select([ - msg227, - msg228, -]); - -var msg229 = msg("118:01", dup169); - -var msg230 = msg("118", dup170); - -var select116 = linear_select([ - msg229, - msg230, -]); - -var msg231 = msg("119:01", dup169); - -var msg232 = msg("119", dup170); - -var select117 = linear_select([ - msg231, - msg232, -]); - -var msg233 = msg("120:01", dup169); - -var msg234 = msg("120", dup170); - -var select118 = linear_select([ - msg233, - msg234, -]); - -var msg235 = msg("121:01", dup169); - -var msg236 = msg("121", dup170); - -var select119 = linear_select([ - msg235, - msg236, -]); - -var msg237 = msg("122:01", dup169); - -var msg238 = msg("122", dup170); - -var select120 = linear_select([ - msg237, - msg238, -]); - -var msg239 = msg("123:01", dup169); - -var msg240 = msg("123", dup170); - -var select121 = linear_select([ - msg239, - msg240, -]); - -var msg241 = msg("124:01", dup169); - -var msg242 = msg("124", dup170); - -var select122 = linear_select([ - msg241, - msg242, -]); - -var msg243 = msg("125:01", dup169); - -var msg244 = msg("125", dup170); - -var select123 = linear_select([ - msg243, - msg244, -]); - -var msg245 = msg("126:01", dup169); - -var msg246 = msg("126", dup170); - -var select124 = linear_select([ - msg245, - msg246, -]); - -var msg247 = msg("127:01", dup169); - -var msg248 = msg("127", dup170); - -var select125 = linear_select([ - msg247, - msg248, -]); - -var msg249 = msg("128:01", dup169); - -var msg250 = msg("128", dup170); - -var select126 = linear_select([ - msg249, - msg250, -]); - -var msg251 = msg("129:01", dup169); - -var msg252 = msg("129", dup170); - -var select127 = linear_select([ - msg251, - msg252, -]); - -var msg253 = msg("130:01", dup169); - -var msg254 = msg("130", dup170); - -var select128 = linear_select([ - msg253, - msg254, -]); - -var msg255 = msg("131:01", dup151); - -var msg256 = msg("131", dup152); - -var select129 = linear_select([ - msg255, - msg256, -]); - -var msg257 = msg("132:01", dup151); - -var msg258 = msg("132", dup152); - -var select130 = linear_select([ - msg257, - msg258, -]); - -var msg259 = msg("133:01", dup151); - -var msg260 = msg("133", dup152); - -var select131 = linear_select([ - msg259, - msg260, -]); - -var part22 = tagval("MESSAGE#260:134:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup30, - dup2, - dup3, -])); - -var msg261 = msg("134:01", part22); - -var part23 = match("MESSAGE#261:134", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup30, - dup2, -])); - -var msg262 = msg("134", part23); - -var select132 = linear_select([ - msg261, - msg262, -]); - -var msg263 = msg("135:01", dup151); - -var msg264 = msg("135", dup152); - -var select133 = linear_select([ - msg263, - msg264, -]); - -var msg265 = msg("136:01", dup169); - -var msg266 = msg("136", dup170); - -var select134 = linear_select([ - msg265, - msg266, -]); - -var msg267 = msg("137:01", dup169); - -var msg268 = msg("137", dup170); - -var select135 = linear_select([ - msg267, - msg268, -]); - -var msg269 = msg("138:01", dup169); - -var msg270 = msg("138", dup170); - -var select136 = linear_select([ - msg269, - msg270, -]); - -var msg271 = msg("139:01", dup169); - -var msg272 = msg("139", dup170); - -var select137 = linear_select([ - msg271, - msg272, -]); - -var msg273 = msg("140:01", dup169); - -var msg274 = msg("140", dup170); - -var select138 = linear_select([ - msg273, - msg274, -]); - -var msg275 = msg("141:01", dup169); - -var msg276 = msg("141", dup170); - -var select139 = linear_select([ - msg275, - msg276, -]); - -var msg277 = msg("142:01", dup169); - -var msg278 = msg("142", dup170); - -var select140 = linear_select([ - msg277, - msg278, -]); - -var msg279 = msg("143:01", dup169); - -var msg280 = msg("143", dup170); - -var select141 = linear_select([ - msg279, - msg280, -]); - -var msg281 = msg("144:01", dup169); - -var msg282 = msg("144", dup170); - -var select142 = linear_select([ - msg281, - msg282, -]); - -var msg283 = msg("145:01", dup169); - -var msg284 = msg("145", dup170); - -var select143 = linear_select([ - msg283, - msg284, -]); - -var msg285 = msg("146:01", dup151); - -var msg286 = msg("146", dup152); - -var select144 = linear_select([ - msg285, - msg286, -]); - -var msg287 = msg("147:01", dup151); - -var msg288 = msg("147", dup152); - -var select145 = linear_select([ - msg287, - msg288, -]); - -var msg289 = msg("148:01", dup151); - -var msg290 = msg("148", dup152); - -var select146 = linear_select([ - msg289, - msg290, -]); - -var msg291 = msg("149:01", dup151); - -var msg292 = msg("149", dup152); - -var select147 = linear_select([ - msg291, - msg292, -]); - -var msg293 = msg("150:01", dup151); - -var msg294 = msg("150", dup152); - -var select148 = linear_select([ - msg293, - msg294, -]); - -var msg295 = msg("152:01", dup151); - -var msg296 = msg("152", dup152); - -var select149 = linear_select([ - msg295, - msg296, -]); - -var msg297 = msg("153:01", dup151); - -var msg298 = msg("153", dup152); - -var select150 = linear_select([ - msg297, - msg298, -]); - -var msg299 = msg("154:01", dup151); - -var msg300 = msg("154", dup152); - -var select151 = linear_select([ - msg299, - msg300, -]); - -var msg301 = msg("155:01", dup151); - -var msg302 = msg("155", dup152); - -var select152 = linear_select([ - msg301, - msg302, -]); - -var msg303 = msg("156:01", dup151); - -var msg304 = msg("156", dup152); - -var select153 = linear_select([ - msg303, - msg304, -]); - -var msg305 = msg("157:01", dup151); - -var msg306 = msg("157", dup152); - -var select154 = linear_select([ - msg305, - msg306, -]); - -var msg307 = msg("158:01", dup151); - -var msg308 = msg("158", dup152); - -var select155 = linear_select([ - msg307, - msg308, -]); - -var msg309 = msg("159:01", dup151); - -var msg310 = msg("159", dup152); - -var select156 = linear_select([ - msg309, - msg310, -]); - -var msg311 = msg("160:01", dup151); - -var msg312 = msg("160", dup152); - -var select157 = linear_select([ - msg311, - msg312, -]); - -var msg313 = msg("161:01", dup151); - -var msg314 = msg("161", dup152); - -var select158 = linear_select([ - msg313, - msg314, -]); - -var msg315 = msg("162:01", dup151); - -var msg316 = msg("162", dup152); - -var select159 = linear_select([ - msg315, - msg316, -]); - -var msg317 = msg("163:01", dup151); - -var msg318 = msg("163", dup152); - -var select160 = linear_select([ - msg317, - msg318, -]); - -var msg319 = msg("164:01", dup151); - -var msg320 = msg("164", dup152); - -var select161 = linear_select([ - msg319, - msg320, -]); - -var msg321 = msg("165:01", dup151); - -var msg322 = msg("165", dup152); - -var select162 = linear_select([ - msg321, - msg322, -]); - -var msg323 = msg("166:01", dup151); - -var msg324 = msg("166", dup152); - -var select163 = linear_select([ - msg323, - msg324, -]); - -var msg325 = msg("167:01", dup151); - -var msg326 = msg("167", dup152); - -var select164 = linear_select([ - msg325, - msg326, -]); - -var msg327 = msg("168:01", dup151); - -var msg328 = msg("168", dup152); - -var select165 = linear_select([ - msg327, - msg328, -]); - -var msg329 = msg("169:01", dup151); - -var msg330 = msg("169", dup152); - -var select166 = linear_select([ - msg329, - msg330, -]); - -var msg331 = msg("170:01", dup169); - -var msg332 = msg("170", dup170); - -var select167 = linear_select([ - msg331, - msg332, -]); - -var msg333 = msg("171:01", dup151); - -var msg334 = msg("171", dup152); - -var select168 = linear_select([ - msg333, - msg334, -]); - -var msg335 = msg("172:01", dup169); - -var msg336 = msg("172", dup170); - -var select169 = linear_select([ - msg335, - msg336, -]); - -var msg337 = msg("173:01", dup151); - -var msg338 = msg("173", dup152); - -var select170 = linear_select([ - msg337, - msg338, -]); - -var msg339 = msg("174:01", dup151); - -var msg340 = msg("174", dup152); - -var select171 = linear_select([ - msg339, - msg340, -]); - -var msg341 = msg("175:01", dup151); - -var msg342 = msg("175", dup152); - -var select172 = linear_select([ - msg341, - msg342, -]); - -var msg343 = msg("176:01", dup151); - -var msg344 = msg("176", dup152); - -var select173 = linear_select([ - msg343, - msg344, -]); - -var msg345 = msg("177:01", dup151); - -var msg346 = msg("177", dup152); - -var select174 = linear_select([ - msg345, - msg346, -]); - -var msg347 = msg("178:01", dup151); - -var msg348 = msg("178", dup152); - -var select175 = linear_select([ - msg347, - msg348, -]); - -var msg349 = msg("179:01", dup169); - -var msg350 = msg("179", dup170); - -var select176 = linear_select([ - msg349, - msg350, -]); - -var msg351 = msg("180:01", dup169); - -var msg352 = msg("180", dup170); - -var select177 = linear_select([ - msg351, - msg352, -]); - -var msg353 = msg("181:01", dup169); - -var msg354 = msg("181", dup170); - -var select178 = linear_select([ - msg353, - msg354, -]); - -var msg355 = msg("182:01", dup169); - -var msg356 = msg("182", dup170); - -var select179 = linear_select([ - msg355, - msg356, -]); - -var msg357 = msg("183:01", dup169); - -var msg358 = msg("183", dup170); - -var select180 = linear_select([ - msg357, - msg358, -]); - -var msg359 = msg("184:01", dup169); - -var msg360 = msg("184", dup170); - -var select181 = linear_select([ - msg359, - msg360, -]); - -var msg361 = msg("185:01", dup169); - -var msg362 = msg("185", dup170); - -var select182 = linear_select([ - msg361, - msg362, -]); - -var msg363 = msg("186:01", dup151); - -var msg364 = msg("186", dup152); - -var select183 = linear_select([ - msg363, - msg364, -]); - -var msg365 = msg("187:01", dup169); - -var msg366 = msg("187", dup170); - -var select184 = linear_select([ - msg365, - msg366, -]); - -var msg367 = msg("188:01", dup169); - -var msg368 = msg("188", dup170); - -var select185 = linear_select([ - msg367, - msg368, -]); - -var msg369 = msg("189:01", dup169); - -var msg370 = msg("189", dup170); - -var select186 = linear_select([ - msg369, - msg370, -]); - -var msg371 = msg("191:01", dup151); - -var msg372 = msg("191", dup152); - -var select187 = linear_select([ - msg371, - msg372, -]); - -var msg373 = msg("192:01", dup169); - -var msg374 = msg("192", dup170); - -var select188 = linear_select([ - msg373, - msg374, -]); - -var msg375 = msg("193:01", dup151); - -var msg376 = msg("193", dup152); - -var select189 = linear_select([ - msg375, - msg376, -]); - -var msg377 = msg("194:01", dup169); - -var msg378 = msg("194", dup170); - -var select190 = linear_select([ - msg377, - msg378, -]); - -var msg379 = msg("195:01", dup169); - -var msg380 = msg("195", dup170); - -var select191 = linear_select([ - msg379, - msg380, -]); - -var msg381 = msg("196:01", dup151); - -var msg382 = msg("196", dup152); - -var select192 = linear_select([ - msg381, - msg382, -]); - -var msg383 = msg("197:01", dup151); - -var msg384 = msg("197", dup152); - -var select193 = linear_select([ - msg383, - msg384, -]); - -var msg385 = msg("198:01", dup169); - -var msg386 = msg("198", dup170); - -var select194 = linear_select([ - msg385, - msg386, -]); - -var msg387 = msg("199:01", dup169); - -var msg388 = msg("199", dup170); - -var select195 = linear_select([ - msg387, - msg388, -]); - -var msg389 = msg("200:01", dup169); - -var msg390 = msg("200", dup170); - -var select196 = linear_select([ - msg389, - msg390, -]); - -var msg391 = msg("201:01", dup169); - -var msg392 = msg("201", dup170); - -var select197 = linear_select([ - msg391, - msg392, -]); - -var msg393 = msg("202:01", dup169); - -var msg394 = msg("202", dup170); - -var select198 = linear_select([ - msg393, - msg394, -]); - -var msg395 = msg("203:01", dup169); - -var msg396 = msg("203", dup170); - -var select199 = linear_select([ - msg395, - msg396, -]); - -var msg397 = msg("204:01", dup151); - -var msg398 = msg("204", dup152); - -var select200 = linear_select([ - msg397, - msg398, -]); - -var msg399 = msg("205:01", dup151); - -var msg400 = msg("205", dup152); - -var select201 = linear_select([ - msg399, - msg400, -]); - -var msg401 = msg("206:01", dup151); - -var msg402 = msg("206", dup152); - -var select202 = linear_select([ - msg401, - msg402, -]); - -var msg403 = msg("207:01", dup151); - -var msg404 = msg("207", dup152); - -var select203 = linear_select([ - msg403, - msg404, -]); - -var msg405 = msg("208:01", dup151); - -var msg406 = msg("208", dup152); - -var select204 = linear_select([ - msg405, - msg406, -]); - -var msg407 = msg("209:01", dup169); - -var msg408 = msg("209", dup170); - -var select205 = linear_select([ - msg407, - msg408, -]); - -var msg409 = msg("211:01", dup169); - -var msg410 = msg("211", dup170); - -var select206 = linear_select([ - msg409, - msg410, -]); - -var msg411 = msg("212:01", dup169); - -var msg412 = msg("212", dup170); - -var select207 = linear_select([ - msg411, - msg412, -]); - -var msg413 = msg("213:01", dup169); - -var msg414 = msg("213", dup170); - -var select208 = linear_select([ - msg413, - msg414, -]); - -var msg415 = msg("214:01", dup151); - -var msg416 = msg("214", dup152); - -var select209 = linear_select([ - msg415, - msg416, -]); - -var msg417 = msg("215:01", dup151); - -var msg418 = msg("215", dup152); - -var select210 = linear_select([ - msg417, - msg418, -]); - -var msg419 = msg("216:01", dup151); - -var msg420 = msg("216", dup152); - -var select211 = linear_select([ - msg419, - msg420, -]); - -var msg421 = msg("217:01", dup169); - -var msg422 = msg("217", dup170); - -var select212 = linear_select([ - msg421, - msg422, -]); - -var msg423 = msg("218:01", dup169); - -var msg424 = msg("218", dup170); - -var select213 = linear_select([ - msg423, - msg424, -]); - -var msg425 = msg("219:01", dup169); - -var msg426 = msg("219", dup170); - -var select214 = linear_select([ - msg425, - msg426, -]); - -var msg427 = msg("220:01", dup169); - -var msg428 = msg("220", dup170); - -var select215 = linear_select([ - msg427, - msg428, -]); - -var msg429 = msg("221:01", dup169); - -var msg430 = msg("221", dup170); - -var select216 = linear_select([ - msg429, - msg430, -]); - -var msg431 = msg("222:01", dup151); - -var msg432 = msg("222", dup152); - -var select217 = linear_select([ - msg431, - msg432, -]); - -var msg433 = msg("223:01", dup169); - -var msg434 = msg("223", dup170); - -var select218 = linear_select([ - msg433, - msg434, -]); - -var msg435 = msg("224:01", dup169); - -var msg436 = msg("224", dup170); - -var select219 = linear_select([ - msg435, - msg436, -]); - -var msg437 = msg("229:01", dup169); - -var msg438 = msg("229", dup170); - -var select220 = linear_select([ - msg437, - msg438, -]); - -var msg439 = msg("230:01", dup151); - -var msg440 = msg("230", dup152); - -var select221 = linear_select([ - msg439, - msg440, -]); - -var msg441 = msg("231:01", dup151); - -var msg442 = msg("231", dup152); - -var select222 = linear_select([ - msg441, - msg442, -]); - -var msg443 = msg("232:01", dup151); - -var msg444 = msg("232", dup152); - -var select223 = linear_select([ - msg443, - msg444, -]); - -var msg445 = msg("233:01", dup151); - -var msg446 = msg("233", dup152); - -var select224 = linear_select([ - msg445, - msg446, -]); - -var msg447 = msg("236:01", dup153); - -var msg448 = msg("236", dup154); - -var select225 = linear_select([ - msg447, - msg448, -]); - -var msg449 = msg("237:01", dup169); - -var msg450 = msg("237", dup170); - -var select226 = linear_select([ - msg449, - msg450, -]); - -var msg451 = msg("238:01", dup151); - -var msg452 = msg("238", dup152); - -var select227 = linear_select([ - msg451, - msg452, -]); - -var msg453 = msg("239:01", dup169); - -var msg454 = msg("239", dup170); - -var select228 = linear_select([ - msg453, - msg454, -]); - -var msg455 = msg("240:01", dup169); - -var msg456 = msg("240", dup170); - -var select229 = linear_select([ - msg455, - msg456, -]); - -var msg457 = msg("241:01", dup169); - -var msg458 = msg("241", dup170); - -var select230 = linear_select([ - msg457, - msg458, -]); - -var msg459 = msg("243:01", dup151); - -var msg460 = msg("243", dup152); - -var select231 = linear_select([ - msg459, - msg460, -]); - -var msg461 = msg("244:01", dup151); - -var msg462 = msg("244", dup152); - -var select232 = linear_select([ - msg461, - msg462, -]); - -var msg463 = msg("246:01", dup169); - -var msg464 = msg("246", dup170); - -var select233 = linear_select([ - msg463, - msg464, -]); - -var msg465 = msg("247:01", dup169); - -var msg466 = msg("247", dup170); - -var select234 = linear_select([ - msg465, - msg466, -]); - -var msg467 = msg("248:01", dup151); - -var msg468 = msg("248", dup152); - -var select235 = linear_select([ - msg467, - msg468, -]); - -var msg469 = msg("249:01", dup151); - -var msg470 = msg("249", dup152); - -var select236 = linear_select([ - msg469, - msg470, -]); - -var msg471 = msg("250:01", dup151); - -var msg472 = msg("250", dup152); - -var select237 = linear_select([ - msg471, - msg472, -]); - -var msg473 = msg("251:01", dup169); - -var msg474 = msg("251", dup170); - -var select238 = linear_select([ - msg473, - msg474, -]); - -var msg475 = msg("252:01", dup169); - -var msg476 = msg("252", dup170); - -var select239 = linear_select([ - msg475, - msg476, -]); - -var msg477 = msg("253:01", dup151); - -var msg478 = msg("253", dup152); - -var select240 = linear_select([ - msg477, - msg478, -]); - -var msg479 = msg("254:01", dup169); - -var msg480 = msg("254", dup170); - -var select241 = linear_select([ - msg479, - msg480, -]); - -var msg481 = msg("255:01", dup151); - -var msg482 = msg("255", dup152); - -var select242 = linear_select([ - msg481, - msg482, -]); - -var msg483 = msg("256:01", dup169); - -var msg484 = msg("256", dup170); - -var select243 = linear_select([ - msg483, - msg484, -]); - -var msg485 = msg("257:01", dup169); - -var msg486 = msg("257", dup170); - -var select244 = linear_select([ - msg485, - msg486, -]); - -var msg487 = msg("259:01", dup169); - -var msg488 = msg("259", dup170); - -var select245 = linear_select([ - msg487, - msg488, -]); - -var msg489 = msg("260:01", dup151); - -var msg490 = msg("260", dup152); - -var select246 = linear_select([ - msg489, - msg490, -]); - -var msg491 = msg("261:01", dup151); - -var msg492 = msg("261", dup152); - -var select247 = linear_select([ - msg491, - msg492, -]); - -var msg493 = msg("262:01", dup151); - -var msg494 = msg("262", dup152); - -var select248 = linear_select([ - msg493, - msg494, -]); - -var msg495 = msg("263:01", dup151); - -var msg496 = msg("263", dup152); - -var select249 = linear_select([ - msg495, - msg496, -]); - -var msg497 = msg("264:01", dup169); - -var msg498 = msg("264", dup170); - -var select250 = linear_select([ - msg497, - msg498, -]); - -var msg499 = msg("265:01", dup169); - -var msg500 = msg("265", dup170); - -var select251 = linear_select([ - msg499, - msg500, -]); - -var msg501 = msg("266:01", dup169); - -var msg502 = msg("266", dup170); - -var select252 = linear_select([ - msg501, - msg502, -]); - -var msg503 = msg("267:01", dup169); - -var msg504 = msg("267", dup170); - -var select253 = linear_select([ - msg503, - msg504, -]); - -var msg505 = msg("268:01", dup169); - -var msg506 = msg("268", dup170); - -var select254 = linear_select([ - msg505, - msg506, -]); - -var msg507 = msg("269:01", dup151); - -var msg508 = msg("269", dup152); - -var select255 = linear_select([ - msg507, - msg508, -]); - -var msg509 = msg("270:01", dup169); - -var msg510 = msg("270", dup170); - -var select256 = linear_select([ - msg509, - msg510, -]); - -var msg511 = msg("271:01", dup151); - -var msg512 = msg("271", dup152); - -var select257 = linear_select([ - msg511, - msg512, -]); - -var msg513 = msg("272:01", dup169); - -var msg514 = msg("272", dup170); - -var select258 = linear_select([ - msg513, - msg514, -]); - -var msg515 = msg("273:01", dup169); - -var msg516 = msg("273", dup170); - -var select259 = linear_select([ - msg515, - msg516, -]); - -var msg517 = msg("274:01", dup169); - -var msg518 = msg("274", dup170); - -var select260 = linear_select([ - msg517, - msg518, -]); - -var msg519 = msg("275:01", dup169); - -var msg520 = msg("275", dup170); - -var select261 = linear_select([ - msg519, - msg520, -]); - -var msg521 = msg("276:01", dup169); - -var msg522 = msg("276", dup170); - -var select262 = linear_select([ - msg521, - msg522, -]); - -var msg523 = msg("277:01", dup169); - -var msg524 = msg("277", dup170); - -var select263 = linear_select([ - msg523, - msg524, -]); - -var msg525 = msg("278:01", dup169); - -var msg526 = msg("278", dup170); - -var select264 = linear_select([ - msg525, - msg526, -]); - -var msg527 = msg("279:01", dup169); - -var msg528 = msg("279", dup170); - -var select265 = linear_select([ - msg527, - msg528, -]); - -var msg529 = msg("280:01", dup151); - -var msg530 = msg("280", dup152); - -var select266 = linear_select([ - msg529, - msg530, -]); - -var msg531 = msg("281:01", dup151); - -var msg532 = msg("281", dup152); - -var select267 = linear_select([ - msg531, - msg532, -]); - -var msg533 = msg("282:01", dup169); - -var msg534 = msg("282", dup170); - -var select268 = linear_select([ - msg533, - msg534, -]); - -var msg535 = msg("283:01", dup169); - -var msg536 = msg("283", dup170); - -var select269 = linear_select([ - msg535, - msg536, -]); - -var msg537 = msg("284:01", dup151); - -var msg538 = msg("284", dup152); - -var select270 = linear_select([ - msg537, - msg538, -]); - -var msg539 = msg("285:01", dup159); - -var msg540 = msg("285", dup160); - -var select271 = linear_select([ - msg539, - msg540, -]); - -var msg541 = msg("286:01", dup169); - -var msg542 = msg("286", dup170); - -var select272 = linear_select([ - msg541, - msg542, -]); - -var msg543 = msg("287:01", dup169); - -var msg544 = msg("287", dup170); - -var select273 = linear_select([ - msg543, - msg544, -]); - -var msg545 = msg("288:01", dup169); - -var msg546 = msg("288", dup170); - -var select274 = linear_select([ - msg545, - msg546, -]); - -var msg547 = msg("289:01", dup169); - -var msg548 = msg("289", dup170); - -var select275 = linear_select([ - msg547, - msg548, -]); - -var msg549 = msg("290:01", dup169); - -var msg550 = msg("290", dup170); - -var select276 = linear_select([ - msg549, - msg550, -]); - -var msg551 = msg("291:01", dup169); - -var msg552 = msg("291", dup170); - -var select277 = linear_select([ - msg551, - msg552, -]); - -var msg553 = msg("292:01", dup169); - -var msg554 = msg("292", dup170); - -var select278 = linear_select([ - msg553, - msg554, -]); - -var msg555 = msg("293:01", dup169); - -var msg556 = msg("293", dup170); - -var select279 = linear_select([ - msg555, - msg556, -]); - -var msg557 = msg("294:01", dup169); - -var msg558 = msg("294", dup170); - -var select280 = linear_select([ - msg557, - msg558, -]); - -var msg559 = msg("295:01", dup169); - -var msg560 = msg("295", dup170); - -var select281 = linear_select([ - msg559, - msg560, -]); - -var msg561 = msg("296:01", dup169); - -var msg562 = msg("296", dup170); - -var select282 = linear_select([ - msg561, - msg562, -]); - -var msg563 = msg("297:01", dup151); - -var msg564 = msg("297", dup152); - -var select283 = linear_select([ - msg563, - msg564, -]); - -var msg565 = msg("298:01", dup151); - -var msg566 = msg("298", dup152); - -var select284 = linear_select([ - msg565, - msg566, -]); - -var msg567 = msg("299:01", dup169); - -var msg568 = msg("299", dup170); - -var select285 = linear_select([ - msg567, - msg568, -]); - -var part24 = match("MESSAGE#568:300:02/24", "nwparser.p0", "%{application};DstHost=%{dhost};Protocol=%{protocol};PSMID=%{fld10};SessionID=%{sessionid};SrcHost=%{shost};User=%{c_username};\""); - -var all1 = all_match({ - processors: [ - dup31, - dup172, - dup173, - dup174, - dup175, - dup176, - dup177, - dup178, - dup179, - dup180, - dup181, - dup182, - dup183, - dup184, - dup185, - dup186, - dup187, - dup188, - dup189, - dup190, - dup191, - dup192, - dup193, - dup194, - part24, - ], - on_success: processor_chain([ - dup4, - dup2, - dup3, - dup24, - ]), -}); - -var msg569 = msg("300:02", all1); - -var part25 = tagval("MESSAGE#569:300:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup4, - dup2, - dup3, - dup24, -])); - -var msg570 = msg("300:01", part25); - -var msg571 = msg("300", dup154); - -var select286 = linear_select([ - msg569, - msg570, - msg571, -]); - -var msg572 = msg("301:01", dup163); - -var msg573 = msg("301", dup164); - -var select287 = linear_select([ - msg572, - msg573, -]); - -var part26 = match("MESSAGE#573:302:02/24", "nwparser.p0", "%{application};DstHost=%{dhost};Protocol=%{protocol};PSMID=%{fld12};SessionDuration=%{duration_string};SessionID=%{sessionid};SrcHost=%{shost};User=%{c_username};\""); - -var all2 = all_match({ - processors: [ - dup31, - dup172, - dup173, - dup174, - dup175, - dup176, - dup177, - dup178, - dup179, - dup180, - dup181, - dup182, - dup183, - dup184, - dup185, - dup186, - dup187, - dup188, - dup189, - dup190, - dup191, - dup192, - dup193, - dup194, - part26, - ], - on_success: processor_chain([ - dup21, - dup2, - dup3, - dup24, - ]), -}); - -var msg574 = msg("302:02", all2); - -var msg575 = msg("302:01", dup163); - -var msg576 = msg("302", dup164); - -var select288 = linear_select([ - msg574, - msg575, - msg576, -]); - -var msg577 = msg("303:01", dup163); - -var msg578 = msg("303", dup164); - -var select289 = linear_select([ - msg577, - msg578, -]); - -var part27 = match("MESSAGE#578:304:02/23_0", "nwparser.p0", "\"%{obj_type}\";ExtraDetails=\"DstHost=%{p0}"); - -var part28 = match("MESSAGE#578:304:02/23_1", "nwparser.p0", "%{obj_type};ExtraDetails=\"DstHost=%{p0}"); - -var select290 = linear_select([ - part27, - part28, -]); - -var part29 = match("MESSAGE#578:304:02/24", "nwparser.p0", "%{dhost};Protocol=%{protocol};PSMID=%{fld10};SessionDuration=%{duration_string};SessionID=%{sessionid};SrcHost=%{shost};User=%{c_username};\""); - -var all3 = all_match({ - processors: [ - dup31, - dup172, - dup173, - dup174, - dup175, - dup176, - dup177, - dup178, - dup179, - dup180, - dup181, - dup182, - dup183, - dup184, - dup185, - dup186, - dup187, - dup188, - dup189, - dup190, - dup191, - dup192, - dup193, - select290, - part29, - ], - on_success: processor_chain([ - dup26, - dup2, - dup3, - dup24, - ]), -}); - -var msg579 = msg("304:02", all3); - -var msg580 = msg("304:01", dup169); - -var msg581 = msg("304", dup170); - -var select291 = linear_select([ - msg579, - msg580, - msg581, -]); - -var msg582 = msg("305:01", dup169); - -var msg583 = msg("305", dup170); - -var select292 = linear_select([ - msg582, - msg583, -]); - -var msg584 = msg("306:01", dup151); - -var msg585 = msg("306", dup152); - -var select293 = linear_select([ - msg584, - msg585, -]); - -var msg586 = msg("307:01", dup151); - -var msg587 = msg("307", dup152); - -var select294 = linear_select([ - msg586, - msg587, -]); - -var part30 = tagval("MESSAGE#587:308:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup78, - dup2, - dup3, -])); - -var msg588 = msg("308:01", part30); - -var part31 = match("MESSAGE#588:308", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup78, - dup2, -])); - -var msg589 = msg("308", part31); - -var select295 = linear_select([ - msg588, - msg589, -]); - -var part32 = tagval("MESSAGE#589:309:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup10, - dup6, - dup7, - dup8, - dup9, - dup2, - dup3, -])); - -var msg590 = msg("309:01", part32); - -var part33 = match("MESSAGE#590:309", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup10, - dup6, - dup7, - dup8, - dup9, - dup2, -])); - -var msg591 = msg("309", part33); - -var select296 = linear_select([ - msg590, - msg591, -]); - -var msg592 = msg("317:01", dup195); - -var msg593 = msg("317", dup196); - -var select297 = linear_select([ - msg592, - msg593, -]); - -var msg594 = msg("316:01", dup195); - -var msg595 = msg("316", dup196); - -var select298 = linear_select([ - msg594, - msg595, -]); - -var msg596 = msg("355:01", dup197); - -var msg597 = msg("355", dup198); - -var select299 = linear_select([ - msg596, - msg597, -]); - -var msg598 = msg("356:01", dup197); - -var msg599 = msg("356", dup198); - -var select300 = linear_select([ - msg598, - msg599, -]); - -var msg600 = msg("357:01", dup199); - -var msg601 = msg("357", dup200); - -var select301 = linear_select([ - msg600, - msg601, -]); - -var msg602 = msg("358:01", dup199); - -var msg603 = msg("358", dup200); - -var select302 = linear_select([ - msg602, - msg603, -]); - -var part34 = tagval("MESSAGE#603:190:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup84, - dup2, - dup3, -])); - -var msg604 = msg("190:01", part34); - -var part35 = match("MESSAGE#604:190", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup84, - dup2, -])); - -var msg605 = msg("190", part35); - -var select303 = linear_select([ - msg604, - msg605, -]); - -var msg606 = msg("5:01", dup161); - -var msg607 = msg("5", dup162); - -var select304 = linear_select([ - msg606, - msg607, -]); - -var msg608 = msg("310:01", dup153); - -var msg609 = msg("310", dup154); - -var select305 = linear_select([ - msg608, - msg609, -]); - -var msg610 = msg("311:01", dup153); - -var msg611 = msg("311", dup154); - -var select306 = linear_select([ - msg610, - msg611, -]); - -var msg612 = msg("312:01", dup153); - -var msg613 = msg("312", dup154); - -var select307 = linear_select([ - msg612, - msg613, -]); - -var msg614 = msg("313:01", dup153); - -var msg615 = msg("313", dup154); - -var select308 = linear_select([ - msg614, - msg615, -]); - -var msg616 = msg("359:01", dup153); - -var msg617 = msg("359", dup154); - -var select309 = linear_select([ - msg616, - msg617, -]); - -var msg618 = msg("372", dup201); - -var msg619 = msg("374", dup201); - -var msg620 = msg("376", dup201); - -var part36 = match("MESSAGE#620:411:01/17_0", "nwparser.p0", "\"%{fld89}\";LogonDomain=%{p0}"); - -var part37 = match("MESSAGE#620:411:01/17_1", "nwparser.p0", "%{fld89};LogonDomain=%{p0}"); - -var select310 = linear_select([ - part36, - part37, -]); - -var part38 = match("MESSAGE#620:411:01/23_0", "nwparser.p0", "\"%{obj_type}\";ExtraDetails=\"Command=%{p0}"); - -var part39 = match("MESSAGE#620:411:01/23_1", "nwparser.p0", "%{obj_type};ExtraDetails=\"Command=%{p0}"); - -var select311 = linear_select([ - part38, - part39, -]); - -var part40 = match("MESSAGE#620:411:01/24", "nwparser.p0", "%{param};ConnectionComponentId=%{fld67};DstHost=%{dhost};Protocol=%{protocol};PSMID=%{fld11};RDPOffset=%{fld12};SessionID=%{sessionid};SrcHost=%{shost};User=%{c_username};VIDOffset=%{fld13};"); - -var all4 = all_match({ - processors: [ - dup31, - dup172, - dup173, - dup174, - dup175, - dup176, - dup177, - dup178, - dup179, - dup180, - dup181, - dup182, - dup183, - dup184, - dup185, - dup186, - dup187, - select310, - dup189, - dup190, - dup191, - dup192, - dup193, - select311, - part40, - ], - on_success: processor_chain([ - dup4, - dup2, - dup3, - dup24, - ]), -}); - -var msg621 = msg("411:01", all4); - -var part41 = match("MESSAGE#621:411/43_0", "nwparser.p0", "\"Command=%{param};ConnectionComponentId=%{fld1};DstHost=%{fld2};ProcessId=%{process_id};ProcessName=%{process};Protocol=%{protocol};PSMID=%{fld3};RDPOffset=%{fld4};SessionID=%{sessionid};SrcHost=%{shost};User=%{fld5};VIDOffset=%{fld6};\""); - -var select312 = linear_select([ - part41, - dup150, -]); - -var all5 = all_match({ - processors: [ - dup31, - dup202, - dup87, - dup203, - dup90, - dup204, - dup93, - dup205, - dup96, - dup206, - dup99, - dup207, - dup102, - dup208, - dup105, - dup209, - dup108, - dup210, - dup111, - dup211, - dup114, - dup212, - dup119, - dup213, - dup122, - dup214, - dup125, - dup215, - dup128, - dup216, - dup131, - dup217, - dup134, - dup218, - dup137, - dup219, - dup140, - dup220, - dup143, - dup221, - dup146, - dup222, - dup149, - select312, - ], - on_success: processor_chain([ - dup4, - dup2, - dup3, - ]), -}); - -var msg622 = msg("411", all5); - -var select313 = linear_select([ - msg621, - msg622, -]); - -var part42 = match("MESSAGE#622:385", "nwparser.payload", "Version=%{version};Message=%{action};Issuer=%{username};Station=%{hostip};File=%{filename};Safe=%{group_object};Location=\"%{directory}\";Category=%{category};RequestId=%{id1};Reason=%{event_description};Severity=%{severity};GatewayStation=%{saddr};TicketID=%{operation_id};PolicyID=%{policyname};UserName=%{c_username};LogonDomain=%{domain};Address=%{dhost};CPMStatus=%{disposition};Port=\"%{dport}\";Database=%{db_name};DeviceType=%{obj_type};ExtraDetails=%{info}", processor_chain([ - dup4, - dup2, - dup3, -])); - -var msg623 = msg("385", part42); - -var part43 = match("MESSAGE#623:361/43_0", "nwparser.p0", "\"Command=%{param};ConnectionComponentId=%{fld1};DstHost=%{fld2};Protocol=%{protocol};PSMID=%{fld3};SessionID=%{sessionid};SrcHost=%{shost};SSHOffset=%{fld4};User=%{fld5};VIDOffset=%{fld6};\""); - -var select314 = linear_select([ - part43, - dup150, -]); - -var all6 = all_match({ - processors: [ - dup31, - dup202, - dup87, - dup203, - dup90, - dup204, - dup93, - dup205, - dup96, - dup206, - dup99, - dup207, - dup102, - dup208, - dup105, - dup209, - dup108, - dup210, - dup111, - dup211, - dup114, - dup212, - dup119, - dup213, - dup122, - dup214, - dup125, - dup215, - dup128, - dup216, - dup131, - dup217, - dup134, - dup218, - dup137, - dup219, - dup140, - dup220, - dup143, - dup221, - dup146, - dup222, - dup149, - select314, - ], - on_success: processor_chain([ - dup4, - dup2, - dup3, - ]), -}); - -var msg624 = msg("361", all6); - -var part44 = match("MESSAGE#624:412/43_0", "nwparser.p0", "\"Command=%{param};ConnectionComponentId=%{fld1};DstHost=%{fld2};Protocol=%{protocol};PSMID=%{fld3};SessionID=%{sessionid};SrcHost=%{shost};TXTOffset=%{fld4};User=%{fld5};VIDOffset=%{fld6};\""); - -var select315 = linear_select([ - part44, - dup150, -]); - -var all7 = all_match({ - processors: [ - dup31, - dup202, - dup87, - dup203, - dup90, - dup204, - dup93, - dup205, - dup96, - dup206, - dup99, - dup207, - dup102, - dup208, - dup105, - dup209, - dup108, - dup210, - dup111, - dup211, - dup114, - dup212, - dup119, - dup213, - dup122, - dup214, - dup125, - dup215, - dup128, - dup216, - dup131, - dup217, - dup134, - dup218, - dup137, - dup219, - dup140, - dup220, - dup143, - dup221, - dup146, - dup222, - dup149, - select315, - ], - on_success: processor_chain([ - dup4, - dup2, - dup3, - ]), -}); - -var msg625 = msg("412", all7); - -var msg626 = msg("378", dup153); - -var msg627 = msg("321", dup153); - -var msg628 = msg("322", dup153); - -var msg629 = msg("323", dup153); - -var msg630 = msg("318", dup153); - -var msg631 = msg("380", dup153); - -var chain1 = processor_chain([ - select1, - msgid_select({ - "1": select2, - "10": select9, - "100": select99, - "101": select100, - "102": select101, - "103": select102, - "104": select103, - "105": select104, - "106": select105, - "107": select106, - "108": select107, - "109": select108, - "11": select10, - "110": select109, - "111": select110, - "112": select111, - "114": select112, - "115": select113, - "116": select114, - "117": select115, - "118": select116, - "119": select117, - "12": select11, - "120": select118, - "121": select119, - "122": select120, - "123": select121, - "124": select122, - "125": select123, - "126": select124, - "127": select125, - "128": select126, - "129": select127, - "13": select12, - "130": select128, - "131": select129, - "132": select130, - "133": select131, - "134": select132, - "135": select133, - "136": select134, - "137": select135, - "138": select136, - "139": select137, - "14": select13, - "140": select138, - "141": select139, - "142": select140, - "143": select141, - "144": select142, - "145": select143, - "146": select144, - "147": select145, - "148": select146, - "149": select147, - "15": select14, - "150": select148, - "152": select149, - "153": select150, - "154": select151, - "155": select152, - "156": select153, - "157": select154, - "158": select155, - "159": select156, - "16": select15, - "160": select157, - "161": select158, - "162": select159, - "163": select160, - "164": select161, - "165": select162, - "166": select163, - "167": select164, - "168": select165, - "169": select166, - "17": select16, - "170": select167, - "171": select168, - "172": select169, - "173": select170, - "174": select171, - "175": select172, - "176": select173, - "177": select174, - "178": select175, - "179": select176, - "18": select17, - "180": select177, - "181": select178, - "182": select179, - "183": select180, - "184": select181, - "185": select182, - "186": select183, - "187": select184, - "188": select185, - "189": select186, - "19": select18, - "190": select303, - "191": select187, - "192": select188, - "193": select189, - "194": select190, - "195": select191, - "196": select192, - "197": select193, - "198": select194, - "199": select195, - "2": select3, - "20": select19, - "200": select196, - "201": select197, - "202": select198, - "203": select199, - "204": select200, - "205": select201, - "206": select202, - "207": select203, - "208": select204, - "209": select205, - "21": select20, - "211": select206, - "212": select207, - "213": select208, - "214": select209, - "215": select210, - "216": select211, - "217": select212, - "218": select213, - "219": select214, - "22": select21, - "220": select215, - "221": select216, - "222": select217, - "223": select218, - "224": select219, - "229": select220, - "23": select22, - "230": select221, - "231": select222, - "232": select223, - "233": select224, - "236": select225, - "237": select226, - "238": select227, - "239": select228, - "24": select23, - "240": select229, - "241": select230, - "243": select231, - "244": select232, - "246": select233, - "247": select234, - "248": select235, - "249": select236, - "25": select24, - "250": select237, - "251": select238, - "252": select239, - "253": select240, - "254": select241, - "255": select242, - "256": select243, - "257": select244, - "259": select245, - "26": select25, - "260": select246, - "261": select247, - "262": select248, - "263": select249, - "264": select250, - "265": select251, - "266": select252, - "267": select253, - "268": select254, - "269": select255, - "27": select26, - "270": select256, - "271": select257, - "272": select258, - "273": select259, - "274": select260, - "275": select261, - "276": select262, - "277": select263, - "278": select264, - "279": select265, - "28": select27, - "280": select266, - "281": select267, - "282": select268, - "283": select269, - "284": select270, - "285": select271, - "286": select272, - "287": select273, - "288": select274, - "289": select275, - "29": select28, - "290": select276, - "291": select277, - "292": select278, - "293": select279, - "294": select280, - "295": select281, - "296": select282, - "297": select283, - "298": select284, - "299": select285, - "3": select4, - "30": select29, - "300": select286, - "301": select287, - "302": select288, - "303": select289, - "304": select291, - "305": select292, - "306": select293, - "307": select294, - "308": select295, - "309": select296, - "31": select30, - "310": select305, - "311": select306, - "312": select307, - "313": select308, - "316": select298, - "317": select297, - "318": msg630, - "32": select31, - "321": msg627, - "322": msg628, - "323": msg629, - "33": select32, - "34": select33, - "35": select34, - "355": select299, - "356": select300, - "357": select301, - "358": select302, - "359": select309, - "36": select35, - "361": msg624, - "37": select36, - "372": msg618, - "374": msg619, - "376": msg620, - "378": msg626, - "38": select37, - "380": msg631, - "385": msg623, - "39": select38, - "4": select5, - "40": select39, - "41": select40, - "411": select313, - "412": msg625, - "42": select41, - "43": select42, - "44": select43, - "45": select44, - "46": select45, - "47": select46, - "48": select47, - "49": select48, - "5": select304, - "50": select49, - "51": select50, - "52": select51, - "53": select52, - "54": select53, - "55": select54, - "56": select55, - "57": select56, - "58": select57, - "59": select58, - "60": select59, - "61": select60, - "62": select61, - "63": select62, - "64": select63, - "65": select64, - "66": select65, - "67": select66, - "68": select67, - "69": select68, - "7": select6, - "70": select69, - "71": select70, - "72": select71, - "73": select72, - "74": select73, - "75": select74, - "76": select75, - "77": select76, - "78": select77, - "79": select78, - "8": select7, - "80": select79, - "81": select80, - "82": select81, - "83": select82, - "84": select83, - "85": select84, - "86": select85, - "87": select86, - "88": select87, - "89": select88, - "9": select8, - "90": select89, - "91": select90, - "92": select91, - "93": select92, - "94": select93, - "95": select94, - "96": select95, - "97": select96, - "98": select97, - "99": select98, - }), -]); - -var part45 = match("MESSAGE#568:300:02/0", "nwparser.payload", "Version=%{p0}"); - -var part46 = match("MESSAGE#568:300:02/1_0", "nwparser.p0", "\"%{version}\";Message=%{p0}"); - -var part47 = match("MESSAGE#568:300:02/1_1", "nwparser.p0", "%{version};Message=%{p0}"); - -var part48 = match("MESSAGE#568:300:02/2_0", "nwparser.p0", "\"%{action}\";Issuer=%{p0}"); - -var part49 = match("MESSAGE#568:300:02/2_1", "nwparser.p0", "%{action};Issuer=%{p0}"); - -var part50 = match("MESSAGE#568:300:02/3_0", "nwparser.p0", "\"%{username}\";Station=%{p0}"); - -var part51 = match("MESSAGE#568:300:02/3_1", "nwparser.p0", "%{username};Station=%{p0}"); - -var part52 = match("MESSAGE#568:300:02/4_0", "nwparser.p0", "\"%{hostip}\";File=%{p0}"); - -var part53 = match("MESSAGE#568:300:02/4_1", "nwparser.p0", "%{hostip};File=%{p0}"); - -var part54 = match("MESSAGE#568:300:02/5_0", "nwparser.p0", "\"%{filename}\";Safe=%{p0}"); - -var part55 = match("MESSAGE#568:300:02/5_1", "nwparser.p0", "%{filename};Safe=%{p0}"); - -var part56 = match("MESSAGE#568:300:02/6_0", "nwparser.p0", "\"%{group_object}\";Location=%{p0}"); - -var part57 = match("MESSAGE#568:300:02/6_1", "nwparser.p0", "%{group_object};Location=%{p0}"); - -var part58 = match("MESSAGE#568:300:02/7_0", "nwparser.p0", "\"%{directory}\";Category=%{p0}"); - -var part59 = match("MESSAGE#568:300:02/7_1", "nwparser.p0", "%{directory};Category=%{p0}"); - -var part60 = match("MESSAGE#568:300:02/8_0", "nwparser.p0", "\"%{category}\";RequestId=%{p0}"); - -var part61 = match("MESSAGE#568:300:02/8_1", "nwparser.p0", "%{category};RequestId=%{p0}"); - -var part62 = match("MESSAGE#568:300:02/9_0", "nwparser.p0", "\"%{id1}\";Reason=%{p0}"); - -var part63 = match("MESSAGE#568:300:02/9_1", "nwparser.p0", "%{id1};Reason=%{p0}"); - -var part64 = match("MESSAGE#568:300:02/10_0", "nwparser.p0", "\"%{event_description}\";Severity=%{p0}"); - -var part65 = match("MESSAGE#568:300:02/10_1", "nwparser.p0", "%{event_description};Severity=%{p0}"); - -var part66 = match("MESSAGE#568:300:02/11_0", "nwparser.p0", "\"%{severity}\";SourceUser=%{p0}"); - -var part67 = match("MESSAGE#568:300:02/11_1", "nwparser.p0", "%{severity};SourceUser=%{p0}"); - -var part68 = match("MESSAGE#568:300:02/12_0", "nwparser.p0", "\"%{group}\";TargetUser=%{p0}"); - -var part69 = match("MESSAGE#568:300:02/12_1", "nwparser.p0", "%{group};TargetUser=%{p0}"); - -var part70 = match("MESSAGE#568:300:02/13_0", "nwparser.p0", "\"%{uid}\";GatewayStation=%{p0}"); - -var part71 = match("MESSAGE#568:300:02/13_1", "nwparser.p0", "%{uid};GatewayStation=%{p0}"); - -var part72 = match("MESSAGE#568:300:02/14_0", "nwparser.p0", "\"%{saddr}\";TicketID=%{p0}"); - -var part73 = match("MESSAGE#568:300:02/14_1", "nwparser.p0", "%{saddr};TicketID=%{p0}"); - -var part74 = match("MESSAGE#568:300:02/15_0", "nwparser.p0", "\"%{operation_id}\";PolicyID=%{p0}"); - -var part75 = match("MESSAGE#568:300:02/15_1", "nwparser.p0", "%{operation_id};PolicyID=%{p0}"); - -var part76 = match("MESSAGE#568:300:02/16_0", "nwparser.p0", "\"%{policyname}\";UserName=%{p0}"); - -var part77 = match("MESSAGE#568:300:02/16_1", "nwparser.p0", "%{policyname};UserName=%{p0}"); - -var part78 = match("MESSAGE#568:300:02/17_0", "nwparser.p0", "\"%{fld11}\";LogonDomain=%{p0}"); - -var part79 = match("MESSAGE#568:300:02/17_1", "nwparser.p0", "%{fld11};LogonDomain=%{p0}"); - -var part80 = match("MESSAGE#568:300:02/18_0", "nwparser.p0", "\"%{domain}\";Address=%{p0}"); - -var part81 = match("MESSAGE#568:300:02/18_1", "nwparser.p0", "%{domain};Address=%{p0}"); - -var part82 = match("MESSAGE#568:300:02/19_0", "nwparser.p0", "\"%{fld14}\";CPMStatus=%{p0}"); - -var part83 = match("MESSAGE#568:300:02/19_1", "nwparser.p0", "%{fld14};CPMStatus=%{p0}"); - -var part84 = match("MESSAGE#568:300:02/20_0", "nwparser.p0", "\"%{disposition}\";Port=%{p0}"); - -var part85 = match("MESSAGE#568:300:02/20_1", "nwparser.p0", "%{disposition};Port=%{p0}"); - -var part86 = match("MESSAGE#568:300:02/21_0", "nwparser.p0", "\"%{dport}\";Database=%{p0}"); - -var part87 = match("MESSAGE#568:300:02/21_1", "nwparser.p0", "%{dport};Database=%{p0}"); - -var part88 = match("MESSAGE#568:300:02/22_0", "nwparser.p0", "\"%{db_name}\";DeviceType=%{p0}"); - -var part89 = match("MESSAGE#568:300:02/22_1", "nwparser.p0", "%{db_name};DeviceType=%{p0}"); - -var part90 = match("MESSAGE#568:300:02/23_0", "nwparser.p0", "\"%{obj_type}\";ExtraDetails=\"ApplicationType=%{p0}"); - -var part91 = match("MESSAGE#568:300:02/23_1", "nwparser.p0", "%{obj_type};ExtraDetails=\"ApplicationType=%{p0}"); - -var part92 = match("MESSAGE#621:411/1_0", "nwparser.p0", "\"%{version}\";%{p0}"); - -var part93 = match("MESSAGE#621:411/1_1", "nwparser.p0", "%{version};%{p0}"); - -var part94 = match("MESSAGE#621:411/2", "nwparser.p0", "Message=%{p0}"); - -var part95 = match("MESSAGE#621:411/3_0", "nwparser.p0", "\"%{action}\";%{p0}"); - -var part96 = match("MESSAGE#621:411/3_1", "nwparser.p0", "%{action};%{p0}"); - -var part97 = match("MESSAGE#621:411/4", "nwparser.p0", "Issuer=%{p0}"); - -var part98 = match("MESSAGE#621:411/5_0", "nwparser.p0", "\"%{username}\";%{p0}"); - -var part99 = match("MESSAGE#621:411/5_1", "nwparser.p0", "%{username};%{p0}"); - -var part100 = match("MESSAGE#621:411/6", "nwparser.p0", "Station=%{p0}"); - -var part101 = match("MESSAGE#621:411/7_0", "nwparser.p0", "\"%{hostip}\";%{p0}"); - -var part102 = match("MESSAGE#621:411/7_1", "nwparser.p0", "%{hostip};%{p0}"); - -var part103 = match("MESSAGE#621:411/8", "nwparser.p0", "File=%{p0}"); - -var part104 = match("MESSAGE#621:411/9_0", "nwparser.p0", "\"%{filename}\";%{p0}"); - -var part105 = match("MESSAGE#621:411/9_1", "nwparser.p0", "%{filename};%{p0}"); - -var part106 = match("MESSAGE#621:411/10", "nwparser.p0", "Safe=%{p0}"); - -var part107 = match("MESSAGE#621:411/11_0", "nwparser.p0", "\"%{group_object}\";%{p0}"); - -var part108 = match("MESSAGE#621:411/11_1", "nwparser.p0", "%{group_object};%{p0}"); - -var part109 = match("MESSAGE#621:411/12", "nwparser.p0", "Location=%{p0}"); - -var part110 = match("MESSAGE#621:411/13_0", "nwparser.p0", "\"%{directory}\";%{p0}"); - -var part111 = match("MESSAGE#621:411/13_1", "nwparser.p0", "%{directory};%{p0}"); - -var part112 = match("MESSAGE#621:411/14", "nwparser.p0", "Category=%{p0}"); - -var part113 = match("MESSAGE#621:411/15_0", "nwparser.p0", "\"%{category}\";%{p0}"); - -var part114 = match("MESSAGE#621:411/15_1", "nwparser.p0", "%{category};%{p0}"); - -var part115 = match("MESSAGE#621:411/16", "nwparser.p0", "RequestId=%{p0}"); - -var part116 = match("MESSAGE#621:411/17_0", "nwparser.p0", "\"%{id1}\";%{p0}"); - -var part117 = match("MESSAGE#621:411/17_1", "nwparser.p0", "%{id1};%{p0}"); - -var part118 = match("MESSAGE#621:411/18", "nwparser.p0", "Reason=%{p0}"); - -var part119 = match("MESSAGE#621:411/19_0", "nwparser.p0", "\"%{event_description}\";%{p0}"); - -var part120 = match("MESSAGE#621:411/19_1", "nwparser.p0", "%{event_description};%{p0}"); - -var part121 = match("MESSAGE#621:411/20", "nwparser.p0", "Severity=%{p0}"); - -var part122 = match("MESSAGE#621:411/21_0", "nwparser.p0", "\"%{severity}\";SourceUser=\"%{group}\";TargetUser=\"%{uid}\";%{p0}"); - -var part123 = match("MESSAGE#621:411/21_1", "nwparser.p0", "%{severity};SourceUser=%{group};TargetUser=%{uid};%{p0}"); - -var part124 = match("MESSAGE#621:411/21_2", "nwparser.p0", "\"%{severity}\";%{p0}"); - -var part125 = match("MESSAGE#621:411/21_3", "nwparser.p0", "%{severity};%{p0}"); - -var part126 = match("MESSAGE#621:411/22", "nwparser.p0", "GatewayStation=%{p0}"); - -var part127 = match("MESSAGE#621:411/23_0", "nwparser.p0", "\"%{saddr}\";%{p0}"); - -var part128 = match("MESSAGE#621:411/23_1", "nwparser.p0", "%{saddr};%{p0}"); - -var part129 = match("MESSAGE#621:411/24", "nwparser.p0", "TicketID=%{p0}"); - -var part130 = match("MESSAGE#621:411/25_0", "nwparser.p0", "\"%{operation_id}\";%{p0}"); - -var part131 = match("MESSAGE#621:411/25_1", "nwparser.p0", "%{operation_id};%{p0}"); - -var part132 = match("MESSAGE#621:411/26", "nwparser.p0", "PolicyID=%{p0}"); - -var part133 = match("MESSAGE#621:411/27_0", "nwparser.p0", "\"%{policyname}\";%{p0}"); - -var part134 = match("MESSAGE#621:411/27_1", "nwparser.p0", "%{policyname};%{p0}"); - -var part135 = match("MESSAGE#621:411/28", "nwparser.p0", "UserName=%{p0}"); - -var part136 = match("MESSAGE#621:411/29_0", "nwparser.p0", "\"%{c_username}\";%{p0}"); - -var part137 = match("MESSAGE#621:411/29_1", "nwparser.p0", "%{c_username};%{p0}"); - -var part138 = match("MESSAGE#621:411/30", "nwparser.p0", "LogonDomain=%{p0}"); - -var part139 = match("MESSAGE#621:411/31_0", "nwparser.p0", "\"%{domain}\";%{p0}"); - -var part140 = match("MESSAGE#621:411/31_1", "nwparser.p0", "%{domain};%{p0}"); - -var part141 = match("MESSAGE#621:411/32", "nwparser.p0", "Address=%{p0}"); - -var part142 = match("MESSAGE#621:411/33_0", "nwparser.p0", "\"%{dhost}\";%{p0}"); - -var part143 = match("MESSAGE#621:411/33_1", "nwparser.p0", "%{dhost};%{p0}"); - -var part144 = match("MESSAGE#621:411/34", "nwparser.p0", "CPMStatus=%{p0}"); - -var part145 = match("MESSAGE#621:411/35_0", "nwparser.p0", "\"%{disposition}\";%{p0}"); - -var part146 = match("MESSAGE#621:411/35_1", "nwparser.p0", "%{disposition};%{p0}"); - -var part147 = match("MESSAGE#621:411/36", "nwparser.p0", "Port=%{p0}"); - -var part148 = match("MESSAGE#621:411/37_0", "nwparser.p0", "\"%{dport}\";%{p0}"); - -var part149 = match("MESSAGE#621:411/37_1", "nwparser.p0", "%{dport};%{p0}"); - -var part150 = match("MESSAGE#621:411/38", "nwparser.p0", "Database=%{p0}"); - -var part151 = match("MESSAGE#621:411/39_0", "nwparser.p0", "\"%{db_name}\";%{p0}"); - -var part152 = match("MESSAGE#621:411/39_1", "nwparser.p0", "%{db_name};%{p0}"); - -var part153 = match("MESSAGE#621:411/40", "nwparser.p0", "DeviceType=%{p0}"); - -var part154 = match("MESSAGE#621:411/41_0", "nwparser.p0", "\"%{obj_type}\";%{p0}"); - -var part155 = match("MESSAGE#621:411/41_1", "nwparser.p0", "%{obj_type};%{p0}"); - -var part156 = match("MESSAGE#621:411/42", "nwparser.p0", "ExtraDetails=%{p0}"); - -var part157 = match("MESSAGE#621:411/43_1", "nwparser.p0", "%{info};"); - -var part158 = tagval("MESSAGE#0:1:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup1, - dup2, - dup3, -])); - -var part159 = match("MESSAGE#1:1", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup1, - dup2, -])); - -var part160 = tagval("MESSAGE#2:2:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup4, - dup2, - dup3, -])); - -var part161 = match("MESSAGE#3:2", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup4, - dup2, -])); - -var part162 = tagval("MESSAGE#6:4:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup5, - dup6, - dup7, - dup8, - dup9, - dup2, - dup3, -])); - -var part163 = match("MESSAGE#7:4", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup5, - dup6, - dup7, - dup8, - dup9, - dup2, -])); - -var part164 = tagval("MESSAGE#20:13:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup15, - dup16, - dup17, - dup9, - dup2, - dup3, -])); - -var part165 = match("MESSAGE#21:13", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup15, - dup16, - dup17, - dup9, - dup2, -])); - -var part166 = tagval("MESSAGE#26:16:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup19, - dup2, - dup3, -])); - -var part167 = match("MESSAGE#27:16", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup19, - dup2, -])); - -var part168 = tagval("MESSAGE#30:18:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup15, - dup2, - dup3, -])); - -var part169 = match("MESSAGE#31:18", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup15, - dup2, -])); - -var part170 = tagval("MESSAGE#38:22:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup21, - dup2, - dup3, -])); - -var part171 = match("MESSAGE#39:22", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup21, - dup2, -])); - -var part172 = tagval("MESSAGE#70:38:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup23, - dup2, - dup3, -])); - -var part173 = match("MESSAGE#71:38", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup23, - dup2, -])); - -var part174 = tagval("MESSAGE#116:61:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup20, - dup2, - dup3, -])); - -var part175 = match("MESSAGE#117:61", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup20, - dup2, -])); - -var part176 = tagval("MESSAGE#126:66:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup26, - dup2, - dup3, -])); - -var part177 = match("MESSAGE#127:66", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup26, - dup2, -])); - -var part178 = tagval("MESSAGE#190:98:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup26, - dup2, - dup3, - dup24, - dup25, -])); - -var select316 = linear_select([ - dup32, - dup33, -]); - -var select317 = linear_select([ - dup34, - dup35, -]); - -var select318 = linear_select([ - dup36, - dup37, -]); - -var select319 = linear_select([ - dup38, - dup39, -]); - -var select320 = linear_select([ - dup40, - dup41, -]); - -var select321 = linear_select([ - dup42, - dup43, -]); - -var select322 = linear_select([ - dup44, - dup45, -]); - -var select323 = linear_select([ - dup46, - dup47, -]); - -var select324 = linear_select([ - dup48, - dup49, -]); - -var select325 = linear_select([ - dup50, - dup51, -]); - -var select326 = linear_select([ - dup52, - dup53, -]); - -var select327 = linear_select([ - dup54, - dup55, -]); - -var select328 = linear_select([ - dup56, - dup57, -]); - -var select329 = linear_select([ - dup58, - dup59, -]); - -var select330 = linear_select([ - dup60, - dup61, -]); - -var select331 = linear_select([ - dup62, - dup63, -]); - -var select332 = linear_select([ - dup64, - dup65, -]); - -var select333 = linear_select([ - dup66, - dup67, -]); - -var select334 = linear_select([ - dup68, - dup69, -]); - -var select335 = linear_select([ - dup70, - dup71, -]); - -var select336 = linear_select([ - dup72, - dup73, -]); - -var select337 = linear_select([ - dup74, - dup75, -]); - -var select338 = linear_select([ - dup76, - dup77, -]); - -var part179 = tagval("MESSAGE#591:317:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup79, - dup80, - dup81, - dup2, - dup3, -])); - -var part180 = match("MESSAGE#592:317", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup79, - dup80, - dup81, - dup2, -])); - -var part181 = tagval("MESSAGE#595:355:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup82, - dup2, - dup3, -])); - -var part182 = match("MESSAGE#596:355", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup82, - dup2, -])); - -var part183 = tagval("MESSAGE#599:357:01", "nwparser.payload", tvm, { - "Address": "dhost", - "CPMStatus": "disposition", - "Category": "category", - "Database": "db_name", - "DeviceType": "obj_type", - "ExtraDetails": "info", - "File": "filename", - "GatewayStation": "saddr", - "Issuer": "username", - "Location": "directory", - "LogonDomain": "domain", - "Message": "action", - "PolicyID": "policyname", - "Port": "dport", - "Reason": "event_description", - "RequestId": "id1", - "Safe": "group_object", - "Severity": "severity", - "SourceUser": "group", - "Station": "hostip", - "TargetUser": "uid", - "TicketID": "operation_id", - "UserName": "c_username", - "Version": "version", -}, processor_chain([ - dup83, - dup2, - dup3, -])); - -var part184 = match("MESSAGE#600:357", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ - dup83, - dup2, -])); - -var part185 = match("MESSAGE#617:372", "nwparser.payload", "Version=%{version};Message=%{action};Issuer=%{username};Station=%{hostip};File=%{filename};Safe=%{group_object};Location=%{directory};Category=%{category};RequestId=%{id1};Reason=%{event_description};Severity=%{severity};GatewayStation=%{saddr};TicketID=%{operation_id};PolicyID=%{policyname};UserName=%{c_username};LogonDomain=%{domain};Address=%{dhost};CPMStatus=%{disposition};Port=\"%{dport}\";Database=%{db_name};DeviceType=%{obj_type};ExtraDetails=%{info};", processor_chain([ - dup4, - dup2, - dup3, -])); - -var select339 = linear_select([ - dup85, - dup86, -]); - -var select340 = linear_select([ - dup88, - dup89, -]); - -var select341 = linear_select([ - dup91, - dup92, -]); - -var select342 = linear_select([ - dup94, - dup95, -]); - -var select343 = linear_select([ - dup97, - dup98, -]); - -var select344 = linear_select([ - dup100, - dup101, -]); - -var select345 = linear_select([ - dup103, - dup104, -]); - -var select346 = linear_select([ - dup106, - dup107, -]); - -var select347 = linear_select([ - dup109, - dup110, -]); - -var select348 = linear_select([ - dup112, - dup113, -]); - -var select349 = linear_select([ - dup115, - dup116, - dup117, - dup118, -]); - -var select350 = linear_select([ - dup120, - dup121, -]); - -var select351 = linear_select([ - dup123, - dup124, -]); - -var select352 = linear_select([ - dup126, - dup127, -]); - -var select353 = linear_select([ - dup129, - dup130, -]); - -var select354 = linear_select([ - dup132, - dup133, -]); - -var select355 = linear_select([ - dup135, - dup136, -]); - -var select356 = linear_select([ - dup138, - dup139, -]); - -var select357 = linear_select([ - dup141, - dup142, -]); - -var select358 = linear_select([ - dup144, - dup145, -]); - -var select359 = linear_select([ - dup147, - dup148, -]); diff --git a/x-pack/filebeat/module/cyberark/corepas/ingest/pipeline.yml b/x-pack/filebeat/module/cyberark/corepas/ingest/pipeline.yml deleted file mode 100644 index c0e79ff34d69..000000000000 --- a/x-pack/filebeat/module/cyberark/corepas/ingest/pipeline.yml +++ /dev/null @@ -1,64 +0,0 @@ ---- -description: Pipeline for Cyber-Ark - -processors: - # ECS event.ingested - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - # User agent - - user_agent: - field: user_agent.original - ignore_missing: true - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.hosts - value: '{{host.name}}' - allow_duplicates: false - if: ctx.host?.name != null && ctx.host?.name != '' -on_failure: - - append: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/cyberark/corepas/manifest.yml b/x-pack/filebeat/module/cyberark/corepas/manifest.yml deleted file mode 100644 index 068553fbee91..000000000000 --- a/x-pack/filebeat/module/cyberark/corepas/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -module_version: "1.0" - -var: - - name: paths - - name: tags - default: ["cyberark.corepas", "forwarded"] - - name: syslog_host - default: localhost - - name: syslog_port - default: 9543 - - name: input - default: udp - - name: community_id - default: true - - name: tz_offset - default: local - - name: rsa_fields - default: true - - name: keep_raw_fields - default: false - - name: debug - default: false - -ingest_pipeline: ingest/pipeline.yml -input: config/input.yml - -requires.processors: -- name: geoip - plugin: ingest-geoip -- name: user_agent - plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/cyberark/corepas/test/generated.log b/x-pack/filebeat/module/cyberark/corepas/test/generated.log deleted file mode 100644 index 29dd49e5dabf..000000000000 --- a/x-pack/filebeat/module/cyberark/corepas/test/generated.log +++ /dev/null @@ -1,100 +0,0 @@ -2016-01-29 06:09:59.732538723 +0000 UTC eacommod1428.lan %CYBERARK: MessageID="188";exercita 1.1332",ProductAccount="itv",ProductProcess="odoco",EventId="ria",EventClass="min",EventSeverity="low",EventMessage="allow",ActingUserName="utl",ActingAddress="10.208.15.216",ActionSourceUser="tation",ActionTargetUser="quasiarc",ActionObject="liqua",ActionSafe="ciade",ActionLocation="turadipi",ActionCategory="aeca",ActionRequestId="idi",ActionReason="pexe",ActionExtraDetails="nes" -%CYBERARK: MessageID="168";Version=1.259;Message=block;Issuer=dolore;Station=10.92.136.230;File=ritquiin;Safe=umqui;Location=reeufugi;Category=mdolo;RequestId=mqui;Reason=nci;Severity=very-high;SourceUser=litesse;TargetUser=orev;GatewayStation=10.175.75.18;TicketID=deF;PolicyID=sist;UserName=nnumqu;LogonDomain=iatnu3810.mail.localdomain;Address=volup208.invalid;CPMStatus=eosquir;Port=5191;Database=umdo;DeviceType=itessequ;ExtraDetails=vol; -nibus 2016-02-26 20:15:08.252538723 +0000 UTC mipsumq3879.internal.localdomain %CYBERARK: MessageID="26";Version=1.7269;Message=accept;Issuer=incid;Station=10.51.132.10;File=utper;Safe=squame;Location=ntex;Category=eius;RequestId=luptat;Reason=emape;Severity=low;SourceUser=incidi;TargetUser=nse;GatewayStation=10.46.185.46;TicketID=temvel;PolicyID=iatu;UserName=serror;LogonDomain=anti4454.api.example;Address=tetu5280.www5.invalid;CPMStatus=tionulam;Port=2548;Database=byC;DeviceType=tinculp;ExtraDetails=tur; -2016-03-12 03:17:42.512538723 +0000 UTC minim7868.www5.localdomain %CYBERARK: MessageID="184";Version=1.6713;Message=deny;Issuer=psumquia;Station=10.53.192.140;File=con;Safe=uia;Location=quiavo;Category=issusci;RequestId=mol;Reason=taspe;Severity=high;SourceUser=psumq;TargetUser=atcup;GatewayStation=10.155.236.240;TicketID=tatno;PolicyID=dquiac;UserName=ptass;LogonDomain=uam6303.api.lan;Address=llu4762.mail.localdomain;CPMStatus=scivel;Port=5695;Database=aperi;DeviceType=iveli;ExtraDetails=llumd; -%CYBERARK: MessageID="161";emaper 1.2638",ProductAccount="eos",ProductProcess="enimad",EventId="rmagni",EventClass="sit",EventSeverity="medium",EventMessage="cancel",ActingUserName="oremips",ActingAddress="10.81.199.122",ActionSourceUser="aquaeabi",ActionTargetUser="giatq",ActionObject="quid",ActionSafe="fug",ActionLocation="uatDuis",ActionCategory="ude",ActionRequestId="maveniam",ActionReason="uian",ActionExtraDetails="tempo" -eetd 2016-04-09 17:22:51.032538723 +0000 UTC eip1448.internal.local %CYBERARK: MessageID="139";Version=1.3491;Message=deny;Issuer=tcupida;Station=10.139.186.201;File=ect;Safe=reetdolo;Location=nrepreh;Category=obeataev;RequestId=lor;Reason=uidexea;Severity=medium;SourceUser=natura;TargetUser=aboris;GatewayStation=10.172.14.142;TicketID=ssitaspe;PolicyID=gitsedqu;UserName=uam;LogonDomain=temq1198.internal.example;Address=aquaeab2275.www5.domain;CPMStatus=ehend;Port=4091;Database=isiu;DeviceType=nimadmi;ExtraDetails=iatisu; -%CYBERARK: MessageID="106";Version=1.6875;Message=accept;Issuer=ipis;Station=10.47.76.251;File=eataevit;Safe=uptatev;Location=uovol;Category=dmi;RequestId=olab;Reason=mquisnos;Severity=medium;SourceUser=ore;TargetUser=etconsec;GatewayStation=10.104.111.129;TicketID=mUt;PolicyID=usmodte;UserName=ele;LogonDomain=tenbyCic5882.api.home;Address=amquisno3338.www5.lan;CPMStatus=nonnu;Port=776;Database=riat;DeviceType=luptatem;ExtraDetails=umdolor; -inB 2016-05-08 07:27:59.552538723 +0000 UTC deomni124.www.example %CYBERARK: MessageID="74";tae 1.1382",ProductAccount="animi",ProductProcess="oluptate",EventId="ofdeF",EventClass="tion",EventSeverity="very-high",EventMessage="deny",ActingUserName="quiratio",ActingAddress="10.116.120.216",ActionSourceUser="qua",ActionTargetUser="umdo",ActionObject="sed",ActionSafe="apariat",ActionLocation="mol",ActionCategory="pteursi",ActionRequestId="onse",ActionReason="rumet",ActionExtraDetails="oll" -Ciceroi 2016-05-22 14:30:33.812538723 +0000 UTC aveniam1436.www.test %CYBERARK: MessageID="144";Version=1.5529;Message=cancel;Issuer=taevi;Station=10.62.54.220;File=ehenderi;Safe=pidatat;Location=gni;Category=tquiinea;RequestId=mquaera;Reason=dun;Severity=medium;SourceUser=Duisau;TargetUser=psum;GatewayStation=10.57.40.29;TicketID=undeo;PolicyID=loremip;UserName=rnatura;LogonDomain=isqu7224.localdomain;Address=idolores3839.localdomain;CPMStatus=metcon;Port=2424;Database=emeumfug;DeviceType=upta;ExtraDetails=omn; -ons 2016-06-05 21:33:08.072538723 +0000 UTC tessec3539.home %CYBERARK: MessageID="240";nsect 1.6476",ProductAccount="tnon",ProductProcess="ionul",EventId="nibus",EventClass="edquiano",EventSeverity="medium",EventMessage="cancel",ActingUserName="ema",ActingAddress="10.74.237.180",ActionSourceUser="nsequu",ActionTargetUser="cup",ActionObject="boNemoen",ActionSafe="uid",ActionLocation="rors",ActionCategory="onofd",ActionRequestId="taed",ActionReason="lup",ActionExtraDetails="remeumf" -2016-06-20 04:35:42.332538723 +0000 UTC sectetur3333.mail.example %CYBERARK: MessageID="61";edqui 1.7780",ProductAccount="lor",ProductProcess="fugit",EventId="ido",EventClass="paqu",EventSeverity="high",EventMessage="allow",ActingUserName="remeum",ActingAddress="10.18.165.35",ActionSourceUser="admi",ActionTargetUser="modocons",ActionObject="elaudant",ActionSafe="tinvol",ActionLocation="dolore",ActionCategory="abor",ActionRequestId="iqui",ActionReason="etc",ActionExtraDetails="etM" -2016-07-04 11:38:16.592538723 +0000 UTC xercitat4824.local %CYBERARK: MessageID="90";ostr 1.4979",ProductAccount="onproide",ProductProcess="luptat",EventId="itaut",EventClass="imaven",EventSeverity="high",EventMessage="deny",ActingUserName="tema",ActingAddress="10.74.253.127",ActionSourceUser="tfug",ActionTargetUser="icab",ActionObject="mwr",ActionSafe="fugi",ActionLocation="inculpaq",ActionCategory="agna",ActionRequestId="tionemu",ActionReason="eomnisis",ActionExtraDetails="mqui" -errorsi 2016-07-18 18:40:50.852538723 +0000 UTC des5377.lan %CYBERARK: MessageID="385";Version=1.1697;Message=block;Issuer=ono;Station=10.189.109.245;File=emaperi;Safe=tame;Location="tinvol";Category=tectobe;RequestId=colabor;Reason=iusmodt;Severity=medium;GatewayStation=10.92.8.15;TicketID=agnaali;PolicyID=llitani;UserName=inima;LogonDomain=tlabo6088.www.localdomain;Address=Lor5841.internal.example;CPMStatus=sunt;Port="3075";Database=uines;DeviceType=nsec;ExtraDetails=onse -August 2 01:43:25 tat %CYBERARK: MessageID="190";tion 1.1761",ProductAccount="upt",ProductProcess="uiineavo",EventId="tisetq",EventClass="irati",EventSeverity="low",EventMessage="accept",ActingUserName="giatquov",ActingAddress="10.21.78.128",ActionSourceUser="riat",ActionTargetUser="taut",ActionObject="oreseos",ActionSafe="uames",ActionLocation="tati",ActionCategory="utaliqu",ActionRequestId="oriosamn",ActionReason="deFinibu",ActionExtraDetails="iadese" -%CYBERARK: MessageID="256";eporroqu 1.4200",ProductAccount="hil",ProductProcess="atquovo",EventId="suntinc",EventClass="xeac",EventSeverity="medium",EventMessage="deny",ActingUserName="tatn",ActingAddress="10.18.109.121",ActionSourceUser="ents",ActionTargetUser="pida",ActionObject="nse",ActionSafe="sinto",ActionLocation="emoeni",ActionCategory="oenimips",ActionRequestId="utlabore",ActionReason="ecillu",ActionExtraDetails="quip" -%CYBERARK: MessageID="105";Version=1.3727;Message=cancel;Issuer=iunt;Station=10.63.37.192;File=tio;Safe=orinrepr;Location=conse;Category=rumetM;RequestId=equi;Reason=agnaali;Severity=medium;SourceUser=sitvolup;TargetUser=reetd;GatewayStation=10.225.115.13;TicketID=maccusa;PolicyID=uptat;UserName=equep;LogonDomain=iavolu5352.localhost;Address=rpo79.mail.example;CPMStatus=siarchi;Port=2289;Database=aliqu;DeviceType=olupta;ExtraDetails=mipsumd; -remi 2016-09-13 22:51:07.892538723 +0000 UTC saute7154.internal.lan %CYBERARK: MessageID="105";Version=1.3219;Message=deny;Issuer=run;Station=10.47.202.102;File=quirat;Safe=llu;Location=licab;Category=eirure;RequestId=conseq;Reason=oidentsu;Severity=medium;SourceUser=aaliquaU;TargetUser=ntor;GatewayStation=10.95.64.124;TicketID=psaquae;PolicyID=ationemu;UserName=ice;LogonDomain=estiae3750.api.corp;Address=tionof7613.domain;CPMStatus=lapari;Port=2335;Database=ite;DeviceType=ationul;ExtraDetails=iquipex; -adol 2016-09-28 05:53:42.152538723 +0000 UTC doloremi7402.www.test %CYBERARK: MessageID="376";Version=1.6371;Message=block;Issuer=itquiin;Station=10.106.239.55;File=taevit;Safe=rinrepre;Location=etconse;Category=tincu;RequestId=ari;Reason=exercit;Severity=low;GatewayStation=10.244.114.61;TicketID=oluptate;PolicyID=onseq;UserName=serunt;LogonDomain=aquaeabi7735.internal.lan;Address=acc7692.home;CPMStatus=amest;Port="4147";Database=itame;DeviceType=intoc;ExtraDetails=oluptas; -2016-10-12 12:56:16.412538723 +0000 UTC luptasn2126.mail.home %CYBERARK: MessageID="24";Version=1.821;Message=allow;Issuer=ione;Station=10.125.160.129;File=suntexp;Safe=duntut;Location=magni;Category=pisciv;RequestId=iquidex;Reason=radipisc;Severity=low;SourceUser=nti;TargetUser=abi;GatewayStation=10.53.168.235;TicketID=fugitse;PolicyID=veniamq;UserName=one;LogonDomain=etMalor4236.www5.host;Address=quatD4191.local;CPMStatus=tenima;Port=5685;Database=sperna;DeviceType=eabilloi;ExtraDetails=estia; -orem 2016-10-26 19:58:50.672538723 +0000 UTC beata6448.mail.test %CYBERARK: MessageID="197";Version=1.1123;Message=allow;Issuer=tasuntex;Station=10.227.177.121;File=boN;Safe=eprehend;Location=aevit;Category=aboN;RequestId=ihilmo;Reason=radi;Severity=low;SourceUser=uames;TargetUser=iduntu;GatewayStation=10.33.245.220;TicketID=giatnu;PolicyID=ulapa;UserName=liqui;LogonDomain=quioffi1359.internal.lan;Address=eturadi6608.mail.host;CPMStatus=aera;Port=3366;Database=rvel;DeviceType=uid;ExtraDetails=onsecte; -November 10 03:01:24 edo %CYBERARK: MessageID="411";Version=1.5071;Message=allow;Issuer=econs;Station="10.98.182.220";File="untex";Safe="quiratio";Location="boree";Category="eco";RequestId=Utenimad;Reason=orpor;Severity="low";GatewayStation="10.167.85.181";TicketID=emvel;PolicyID="tmollita";UserName=fde;LogonDomain="nsecte3304.mail.corp";Address="eroi176.example";CPMStatus="non";Port="3341";Database=equat;DeviceType=derit;ExtraDetails="Command=dexea;ConnectionComponentId=atcu;DstHost=labor;ProcessId=6501;ProcessName=laboree.exe;Protocol=tcp;PSMID=intocc;RDPOffset=liqu;SessionID=eporr;SrcHost=xeacomm6855.api.corp;User=utlabor;VIDOffset=rau;" -November 24 10:03:59 aeabi %CYBERARK: MessageID="111";eiu 1.4456",ProductAccount="iciadese",ProductProcess="quidolor",EventId="tessec",EventClass="olupta",EventSeverity="high",EventMessage="block",ActingUserName="icabo",ActingAddress="10.89.208.95",ActionSourceUser="eleum",ActionTargetUser="sintoc",ActionObject="volupt",ActionSafe="siste",ActionLocation="uiinea",ActionCategory="Utenima",ActionRequestId="volupta",ActionReason="rcitati",ActionExtraDetails="eni" -Ute 2016-12-08 17:06:33.452538723 +0000 UTC sperna5368.mail.invalid %CYBERARK: MessageID="81";Version=1.509;Message=accept;Issuer=tDuisaut;Station=10.214.191.180;File=imvenia;Safe=spi;Location=stquido;Category=ommodico;RequestId=ptas;Reason=pta;Severity=medium;SourceUser=ptatemq;TargetUser=luptatev;GatewayStation=10.72.148.32;TicketID=ipsumd;PolicyID=ntocc;UserName=uteirure;LogonDomain=nevo4284.internal.local;Address=reetdolo6852.www.test;CPMStatus=nnum;Port=5428;Database=uamest;DeviceType=tco;ExtraDetails=uae; -%CYBERARK: MessageID="168";Version=1.3599;Message=block;Issuer=ipsumd;Station=10.136.190.236;File=evolu;Safe=ersp;Location=tquov;Category=diconseq;RequestId=inven;Reason=osquira;Severity=low;SourceUser=ataevi;TargetUser=com;GatewayStation=10.252.124.150;TicketID=trud;PolicyID=eriti;UserName=litessec;LogonDomain=itas981.mail.domain;Address=mporin6932.api.localdomain;CPMStatus=roid;Port=6604;Database=tasn;DeviceType=Nemoenim;ExtraDetails=squirati; -nbyCic 2017-01-06 07:11:41.972538723 +0000 UTC utlabor6305.internal.corp %CYBERARK: MessageID="90";Version=1.5649;Message=accept;Issuer=iquipe;Station=10.192.34.76;File=modtemp;Safe=quovol;Location=nve;Category=remag;RequestId=uredol;Reason=ccaecat;Severity=medium;SourceUser=onsequ;TargetUser=temqu;GatewayStation=10.213.144.249;TicketID=udexerci;PolicyID=naal;UserName=lore;LogonDomain=tnonpro7635.localdomain;Address=illoin2914.mail.lan;CPMStatus=uamni;Port=6895;Database=gnamal;DeviceType=metMalo;ExtraDetails=ntexplic; -%CYBERARK: MessageID="376";Version=1.2217;Message=accept;Issuer=untu;Station=10.154.4.197;File=con;Safe=nisist;Location=usmodte;Category=msequi;RequestId=tau;Reason=exercita;Severity=low;GatewayStation=10.216.84.30;TicketID=orumSe;PolicyID=boree;UserName=intoc;LogonDomain=rQuisau5300.www5.example;Address=evit5780.www.corp;CPMStatus=onev;Port="725";Database=oditem;DeviceType=gitsedqu;ExtraDetails=borios; -2017-02-03 21:16:50.492538723 +0000 UTC temUt631.www5.example %CYBERARK: MessageID="3";npr 1.4414",ProductAccount="niamqui",ProductProcess="boNem",EventId="ess",EventClass="ipisci",EventSeverity="medium",EventMessage="deny",ActingUserName="tqu",ActingAddress="10.143.193.199",ActionSourceUser="quam",ActionTargetUser="quid",ActionObject="fugiat",ActionSafe="atisun",ActionLocation="esci",ActionCategory="epre",ActionRequestId="tobeata",ActionReason="eroinBCS",ActionExtraDetails="inci" -February 18 04:19:24 rnatur %CYBERARK: MessageID="140";Version=1.5632;Message=deny;Issuer=essequam;Station=10.193.83.81;File=isisten;Safe=cusant;Location=atemq;Category=rinre;RequestId=naal;Reason=borios;Severity=high;SourceUser=isnostr;TargetUser=umqu;GatewayStation=10.65.175.9;TicketID=inesci;PolicyID=isnisi;UserName=ritatise;LogonDomain=uamei2389.internal.example;Address=uisa5736.internal.local;CPMStatus=cusant;Port=302;Database=ender;DeviceType=riamea;ExtraDetails=entorev; -%CYBERARK: MessageID="87";tutlab 1.792",ProductAccount="tatn",ProductProcess="dolorsit",EventId="sau",EventClass="aperia",EventSeverity="very-high",EventMessage="accept",ActingUserName="umdolo",ActingAddress="10.205.72.243",ActionSourceUser="stenatu",ActionTargetUser="isiuta",ActionObject="orsitam",ActionSafe="siutaliq",ActionLocation="dutp",ActionCategory="psaquaea",ActionRequestId="taevita",ActionReason="ameiusm",ActionExtraDetails="proide" -2017-03-18 18:24:33.272538723 +0000 UTC velitess7586.mail.example %CYBERARK: MessageID="45";nre 1.7231",ProductAccount="sit",ProductProcess="olab",EventId="eumiure",EventClass="ersp",EventSeverity="medium",EventMessage="allow",ActingUserName="mquisno",ActingAddress="10.107.9.163",ActionSourceUser="uptate",ActionTargetUser="mac",ActionObject="iumdol",ActionSafe="tpersp",ActionLocation="stla",ActionCategory="uptatema",ActionRequestId="oeni",ActionReason="tdol",ActionExtraDetails="sit" -April 2 01:27:07 psum %CYBERARK: MessageID="132";tasnulap 1.7220",ProductAccount="umSe",ProductProcess="xeacomm",EventId="cinge",EventClass="itla",EventSeverity="high",EventMessage="deny",ActingUserName="asiarc",ActingAddress="10.80.101.72",ActionSourceUser="uptate",ActionTargetUser="quidexea",ActionObject="ect",ActionSafe="modocons",ActionLocation="gitsed",ActionCategory="fugia",ActionRequestId="oditautf",ActionReason="quatu",ActionExtraDetails="veli" -April 16 08:29:41 labo %CYBERARK: MessageID="200";Version=1.267;Message=accept;Issuer=aboreetd;Station=10.235.136.109;File=lorin;Safe=pitl;Location=por;Category=quidexea;RequestId=nimid;Reason=runtmol;Severity=very-high;SourceUser=odi;TargetUser=ptass;GatewayStation=10.39.10.155;TicketID=dol;PolicyID=proiden;UserName=urExcept;LogonDomain=miurerep1152.internal.domain;Address=utlab3706.api.host;CPMStatus=dantium;Port=246;Database=teirured;DeviceType=onemulla;ExtraDetails=dolorem; -April 30 15:32:16 ationev %CYBERARK: MessageID="233";umdolor 1.4389",ProductAccount="itation",ProductProcess="paquioff",EventId="nci",EventClass="isau",EventSeverity="low",EventMessage="cancel",ActingUserName="ibusBon",ActingAddress="10.96.224.19",ActionSourceUser="nsequat",ActionTargetUser="doloreme",ActionObject="dun",ActionSafe="reprehe",ActionLocation="tincu",ActionCategory="suntin",ActionRequestId="itse",ActionReason="umexerc",ActionExtraDetails="oremipsu" -2017-05-14 22:34:50.312538723 +0000 UTC ntsunt4826.mail.corp %CYBERARK: MessageID="170";olo 1.237",ProductAccount="aec",ProductProcess="fdeF",EventId="iquidexe",EventClass="diconse",EventSeverity="medium",EventMessage="cancel",ActingUserName="reseo",ActingAddress="10.71.238.250",ActionSourceUser="consequa",ActionTargetUser="moenimi",ActionObject="olupt",ActionSafe="oconsequ",ActionLocation="edquiac",ActionCategory="urerepr",ActionRequestId="eseru",ActionReason="quamest",ActionExtraDetails="mac" -%CYBERARK: MessageID="294";Version=1.3804;Message=deny;Issuer=rationev;Station=10.226.20.199;File=tatem;Safe=untutlab;Location=amcor;Category=ica;RequestId=lillum;Reason=remips;Severity=low;SourceUser=taedicta;TargetUser=ritt;GatewayStation=10.226.101.180;TicketID=itesseq;PolicyID=dictasun;UserName=veniamqu;LogonDomain=rum5798.home;Address=mvel1188.internal.localdomain;CPMStatus=tetur;Port=2694;Database=conse;DeviceType=ipi;ExtraDetails=imveniam; -June 12 12:39:58 licabo %CYBERARK: MessageID="13";Version=1.1493;Message=cancel;Issuer=utaliqu;Station=10.86.22.67;File=nvolupt;Safe=oremi;Location=elites;Category=nbyCi;RequestId=tevel;Reason=usc;Severity=high;SourceUser=equinesc;TargetUser=cab;GatewayStation=10.134.65.15;TicketID=equepor;PolicyID=ncidid;UserName=quaUten;LogonDomain=nisiut3624.api.example;Address=perspici5680.domain;CPMStatus=iconseq;Port=2039;Database=isciv;DeviceType=rroqu;ExtraDetails=nofd; -%CYBERARK: MessageID="358";ilmol 1.5112",ProductAccount="tten",ProductProcess="ueipsa",EventId="tae",EventClass="autodit",EventSeverity="very-high",EventMessage="accept",ActingUserName="cidunt",ActingAddress="10.70.147.120",ActionSourceUser="exeaco",ActionTargetUser="emqu",ActionObject="nderi",ActionSafe="acommod",ActionLocation="itsedd",ActionCategory="leumiur",ActionRequestId="eratvol",ActionReason="quidol",ActionExtraDetails="eaqu" -luptatem 2017-07-11 02:45:07.352538723 +0000 UTC uaeratv3432.invalid %CYBERARK: MessageID="160";Version=1.6255;Message=cancel;Issuer=dqu;Station=10.178.242.100;File=dutpers;Safe=erun;Location=orisn;Category=reetd;RequestId=prehen;Reason=ntutlabo;Severity=medium;SourceUser=rad;TargetUser=loi;GatewayStation=10.24.111.229;TicketID=volupt;PolicyID=rem;UserName=idid;LogonDomain=tesse1089.www.host;Address=ptateve6909.www5.lan;CPMStatus=toccaec;Port=7645;Database=tenatuse;DeviceType=psaqua;ExtraDetails=ullamcor; -2017-07-25 09:47:41.612538723 +0000 UTC cupi1867.www5.test %CYBERARK: MessageID="67";orroq 1.6677",ProductAccount="ritati",ProductProcess="orisni",EventId="ons",EventClass="remagn",EventSeverity="very-high",EventMessage="deny",ActingUserName="mmodoc",ActingAddress="10.211.179.168",ActionSourceUser="atu",ActionTargetUser="untincul",ActionObject="ssecil",ActionSafe="commodi",ActionLocation="emporain",ActionCategory="ntiumto",ActionRequestId="umetMalo",ActionReason="oluptas",ActionExtraDetails="emvele" -Sedut 2017-08-08 16:50:15.872538723 +0000 UTC yCiceroi2786.www.test %CYBERARK: MessageID="141";iquamqua 1.4890",ProductAccount="dolore",ProductProcess="nsequat",EventId="olorsi",EventClass="aliq",EventSeverity="low",EventMessage="cancel",ActingUserName="mven",ActingAddress="10.30.243.163",ActionSourceUser="oremag",ActionTargetUser="illu",ActionObject="ruredo",ActionSafe="mac",ActionLocation="temUt",ActionCategory="ptassita",ActionRequestId="its",ActionReason="lore",ActionExtraDetails="idol" -2017-08-22 23:52:50.132538723 +0000 UTC urmag7650.api.invalid %CYBERARK: MessageID="26";Version=1.1844;Message=cancel;Issuer=amvo;Station=10.6.79.159;File=ommodo;Safe=uptat;Location=idex;Category=ptateve;RequestId=cons;Reason=olorese;Severity=high;SourceUser=ore;TargetUser=quid;GatewayStation=10.212.214.4;TicketID=ddoeius;PolicyID=ugiatn;UserName=midestl;LogonDomain=dictasun3878.internal.localhost;Address=modocon5089.mail.example;CPMStatus=lupta;Port=5112;Database=urExce;DeviceType=asi;ExtraDetails=ectiono; -onu 2017-09-06 06:55:24.392538723 +0000 UTC liquaUte6729.api.localhost %CYBERARK: MessageID="150";Version=1.3546;Message=deny;Issuer=atDu;Station=10.237.170.202;File=maperi;Safe=agnaaliq;Location=tlaboree;Category=norumet;RequestId=dtempo;Reason=tin;Severity=low;SourceUser=mve;TargetUser=liquide;GatewayStation=10.70.147.46;TicketID=inv;PolicyID=rroq;UserName=rcit;LogonDomain=aecatcup2241.www5.test;Address=tempor1282.www5.localhost;CPMStatus=incidid;Port=7699;Database=taedict;DeviceType=edquian;ExtraDetails=loremeu; -dmi 2017-09-20 13:57:58.652538723 +0000 UTC untexpl2847.www5.local %CYBERARK: MessageID="292";Version=1.4282;Message=allow;Issuer=emoe;Station=10.179.50.138;File=ehende;Safe=eaqueip;Location=eum;Category=lamc;RequestId=umetMal;Reason=asper;Severity=high;SourceUser=metcons;TargetUser=itasper;GatewayStation=10.228.118.81;TicketID=temquiav;PolicyID=obeata;UserName=tatemU;LogonDomain=mad5185.www5.localhost;Address=mipsum2964.invalid;CPMStatus=doei;Port=6825;Database=toditaut;DeviceType=voluptat;ExtraDetails=ugit; -October 4 21:00:32 asnu %CYBERARK: MessageID="38";Version=1.3806;Message=cancel;Issuer=henderit;Station=10.49.71.118;File=ationul;Safe=mquisn;Location=queips;Category=midest;RequestId=dex;Reason=ccae;Severity=medium;SourceUser=eavolup;TargetUser=emip;GatewayStation=10.234.165.130;TicketID=ntexplic;PolicyID=uto;UserName=iuntNequ;LogonDomain=esseq7889.www.invalid;Address=veniamq1236.invalid;CPMStatus=emo;Port=1458;Database=veniamqu;DeviceType=licaboN;ExtraDetails=atquo; -udan 2017-10-19 04:03:07.172538723 +0000 UTC yCic5749.www.localhost %CYBERARK: MessageID="119";itanim 1.4024",ProductAccount="olorema",ProductProcess="mollita",EventId="tatem",EventClass="iae",EventSeverity="low",EventMessage="allow",ActingUserName="emip",ActingAddress="10.199.5.49",ActionSourceUser="stquid",ActionTargetUser="turadipi",ActionObject="usmodi",ActionSafe="ree",ActionLocation="saquaea",ActionCategory="ation",ActionRequestId="luptas",ActionReason="minim",ActionExtraDetails="ataevi" -%CYBERARK: MessageID="156";plic 1.7053",ProductAccount="utlabo",ProductProcess="tetur",EventId="tionula",EventClass="ritqu",EventSeverity="very-high",EventMessage="allow",ActingUserName="uamei",ActingAddress="10.193.219.34",ActionSourceUser="onse",ActionTargetUser="olorem",ActionObject="turvel",ActionSafe="eratv",ActionLocation="ipsa",ActionCategory="asuntexp",ActionRequestId="adminim",ActionReason="orisni",ActionExtraDetails="nse" -November 16 18:08:15 nderi %CYBERARK: MessageID="202";Version=1.7083;Message=allow;Issuer=animid;Station=10.120.167.217;File=atuse;Safe=ueipsa;Location=scipitl;Category=eumi;RequestId=quasiarc;Reason=olli;Severity=low;SourceUser=tetura;TargetUser=rsp;GatewayStation=10.174.185.109;TicketID=roquisqu;PolicyID=edolorin;UserName=dolorem;LogonDomain=tem6815.home;Address=taliqui5348.mail.localdomain;CPMStatus=loremag;Port=6816;Database=tsuntinc;DeviceType=inrepreh;ExtraDetails=quovo; -%CYBERARK: MessageID="133";Version=1.1432;Message=cancel;Issuer=atev;Station=10.117.137.159;File=acommodi;Safe=essecill;Location=billoi;Category=moles;RequestId=dipiscin;Reason=olup;Severity=high;SourceUser=undeomni;TargetUser=accusa;GatewayStation=10.141.213.219;TicketID=itat;PolicyID=stlaboru;UserName=ate;LogonDomain=mporainc2064.home;Address=atnulapa3548.www.domain;CPMStatus=radipisc;Port=5347;Database=nibus;DeviceType=vitaed;ExtraDetails=ser; -2017-12-15 08:13:24.212538723 +0000 UTC ill6772.www.invalid %CYBERARK: MessageID="104";Version=1.4043;Message=cancel;Issuer=rem;Station=10.166.90.130;File=mdolore;Safe=eosquira;Location=pta;Category=snos;RequestId=orsi;Reason=tetura;Severity=very-high;SourceUser=lorsita;TargetUser=eavol;GatewayStation=10.94.224.229;TicketID=lupta;PolicyID=npr;UserName=etconsec;LogonDomain=caboNem1043.internal.home;Address=litesseq6785.host;CPMStatus=tob;Port=7390;Database=oditempo;DeviceType=doeiu;ExtraDetails=deF; -rcitat 2017-12-29 15:15:58.472538723 +0000 UTC dolorema2984.www.home %CYBERARK: MessageID="316";Version=1.2456;Message=deny;Issuer=tiumto;Station=10.38.28.151;File=nrepreh;Safe=ratv;Location=alorum;Category=mquisn;RequestId=atq;Reason=erspi;Severity=low;SourceUser=ugiatquo;TargetUser=incidid;GatewayStation=10.201.81.46;TicketID=sBonor;PolicyID=fugits;UserName=mipsumqu;LogonDomain=tatio6513.www.invalid;Address=onnu2272.mail.corp;CPMStatus=atatnon;Port=6064;Database=abor;DeviceType=magnid;ExtraDetails=adol; -January 12 22:18:32 niam %CYBERARK: MessageID="266";Version=1.2721;Message=deny;Issuer=rerepre;Station=10.214.245.95;File=quiineav;Safe=billoinv;Location=sci;Category=col;RequestId=obea;Reason=emp;Severity=medium;SourceUser=luptas;TargetUser=uptatem;GatewayStation=10.255.28.56;TicketID=inrepr;PolicyID=mol;UserName=umdolors;LogonDomain=dolori6232.api.invalid;Address=llit958.www.domain;CPMStatus=tat;Port=2957;Database=odt;DeviceType=cillumd;ExtraDetails=riosa; -January 27 05:21:06 lapar %CYBERARK: MessageID="311";ritati 1.3219",ProductAccount="qui",ProductProcess="otamr",EventId="nim",EventClass="ame",EventSeverity="very-high",EventMessage="cancel",ActingUserName="mip",ActingAddress="10.45.35.180",ActionSourceUser="mvolupta",ActionTargetUser="Utenima",ActionObject="iqua",ActionSafe="luptat",ActionLocation="deriti",ActionCategory="sintocc",ActionRequestId="cididu",ActionReason="uteir",ActionExtraDetails="boree" -February 10 12:23:41 diduntu %CYBERARK: MessageID="285";eiusmod 1.7546",ProductAccount="ess",ProductProcess="uide",EventId="scivel",EventClass="henderi",EventSeverity="low",EventMessage="accept",ActingUserName="enim",ActingAddress="10.141.200.133",ActionSourceUser="ersp",ActionTargetUser="iame",ActionObject="orroquis",ActionSafe="aquio",ActionLocation="riatu",ActionCategory="loinve",ActionRequestId="tanimid",ActionReason="isnostru",ActionExtraDetails="nofdeFi" -%CYBERARK: MessageID="155";ulap 1.3765",ProductAccount="illoi",ProductProcess="reetdolo",EventId="rationev",EventClass="ehender",EventSeverity="medium",EventMessage="accept",ActingUserName="ugi",ActingAddress="10.83.238.145",ActionSourceUser="ptatems",ActionTargetUser="runtmo",ActionObject="ore",ActionSafe="isund",ActionLocation="exerci",ActionCategory="tas",ActionRequestId="oraincid",ActionReason="quaer",ActionExtraDetails="eetdo" -2018-03-11 02:28:49.772538723 +0000 UTC aali6869.api.localdomain %CYBERARK: MessageID="48";Version=1.3147;Message=block;Issuer=sedquiac;Station=10.39.143.155;File=ipsaqu;Safe=nisiut;Location=rumwri;Category=velill;RequestId=ore;Reason=tation;Severity=very-high;SourceUser=porincid;TargetUser=tperspic;GatewayStation=10.41.89.217;TicketID=ict;PolicyID=squirati;UserName=tem;LogonDomain=mestq2106.api.host;Address=llamc6724.www.lan;CPMStatus=tesseci;Port=4020;Database=radipis;DeviceType=cive;ExtraDetails=nse; -isnisiu 2018-03-25 09:31:24.032538723 +0000 UTC suntincu2940.www5.domain %CYBERARK: MessageID="378";Version=1.6382;Message=accept;Issuer=minim;Station=10.5.5.1;File=reseosq;Safe=gna;Location=isiutali;Category=lumqu;RequestId=onulamco;Reason=ons;Severity=low;SourceUser=uptat;TargetUser=unt;GatewayStation=10.153.123.20;TicketID=tla;PolicyID=mquiad;UserName=CSe;LogonDomain=lors7553.api.local;Address=reseosqu1629.mail.lan;CPMStatus=utemvel;Port=5325;Database=atu;DeviceType=iusm;ExtraDetails=roi; -2018-04-08 16:33:58.292538723 +0000 UTC rere5274.mail.domain %CYBERARK: MessageID="269";Version=1.3193;Message=deny;Issuer=iamea;Station=10.210.61.109;File=tiumto;Safe=cor;Location=odoco;Category=oin;RequestId=itseddoe;Reason=elites;Severity=low;SourceUser=uamei;TargetUser=eursinto;GatewayStation=10.168.132.175;TicketID=licaboNe;PolicyID=tautfug;UserName=giatquov;LogonDomain=olu5333.www.domain;Address=orumSe4514.www.corp;CPMStatus=umquam;Port=80;Database=ici;DeviceType=nisiuta;ExtraDetails=iquaUt; -%CYBERARK: MessageID="176";atnula 1.5038",ProductAccount="lmo",ProductProcess="iquidex",EventId="olup",EventClass="remipsu",EventSeverity="low",EventMessage="accept",ActingUserName="quiac",ActingAddress="10.123.154.17",ActionSourceUser="etdol",ActionTargetUser="dolorsi",ActionObject="nturmag",ActionSafe="tura",ActionLocation="osquirat",ActionCategory="equat",ActionRequestId="aliquid",ActionReason="usantiu",ActionExtraDetails="idunt" -%CYBERARK: MessageID="4";min 1.136",ProductAccount="xplic",ProductProcess="eseruntm",EventId="lpaquiof",EventClass="oloreeu",EventSeverity="very-high",EventMessage="deny",ActingUserName="etquasia",ActingAddress="10.169.123.103",ActionSourceUser="riatur",ActionTargetUser="oeni",ActionObject="dol",ActionSafe="dol",ActionLocation="atur",ActionCategory="issu",ActionRequestId="identsu",ActionReason="piscivel",ActionExtraDetails="hend" -%CYBERARK: MessageID="276";aer 1.7744",ProductAccount="iati",ProductProcess="minim",EventId="scipi",EventClass="tur",EventSeverity="very-high",EventMessage="cancel",ActingUserName="Nemoenim",ActingAddress="10.126.205.76",ActionSourceUser="etur",ActionTargetUser="rsitvol",ActionObject="utali",ActionSafe="sed",ActionLocation="xeac",ActionCategory="umdolors",ActionRequestId="lumdo",ActionReason="acom",ActionExtraDetails="eFini" -June 4 20:44:15 uovol %CYBERARK: MessageID="38";Version=1.3184;Message=accept;Issuer=eufug;Station=10.164.66.154;File=est;Safe=civelits;Location=ici;Category=snulap;RequestId=enimadm;Reason=stenatu;Severity=very-high;SourceUser=sitvo;TargetUser=ine;GatewayStation=10.169.101.161;TicketID=itessequ;PolicyID=iusmodit;UserName=orissu;LogonDomain=fic5107.home;Address=mmodoco2581.www5.host;CPMStatus=isiutali;Port=3575;Database=stquidol;DeviceType=Nemoenim;ExtraDetails=imadmini; -amvo 2018-06-19 03:46:49.592538723 +0000 UTC tnul6235.www5.lan %CYBERARK: MessageID="79";isau 1.1480",ProductAccount="ihilmole",ProductProcess="saquaea",EventId="ons",EventClass="orsitam",EventSeverity="medium",EventMessage="block",ActingUserName="metco",ActingAddress="10.70.83.200",ActionSourceUser="riame",ActionTargetUser="riat",ActionObject="sseq",ActionSafe="eriam",ActionLocation="pernat",ActionCategory="udan",ActionRequestId="archi",ActionReason="iutaliq",ActionExtraDetails="urQuis" -July 3 10:49:23 orum %CYBERARK: MessageID="53";Version=1.4887;Message=block;Issuer=madminim;Station=10.207.97.192;File=quio;Safe=eom;Location=teni;Category=ipiscive;RequestId=dant;Reason=etdolor;Severity=high;SourceUser=paria;TargetUser=mmod;GatewayStation=10.134.55.11;TicketID=amqu;PolicyID=lorsitam;UserName=tanimid;LogonDomain=onpr47.api.home;Address=oremqu7663.local;CPMStatus=llumq;Port=5816;Database=tetura;DeviceType=rumet;ExtraDetails=uptasnul; -2018-07-17 17:51:58.112538723 +0000 UTC nde2358.mail.corp %CYBERARK: MessageID="75";Version=1.3601;Message=cancel;Issuer=texplica;Station=10.52.150.104;File=esse;Safe=veniam;Location=edquian;Category=sus;RequestId=imavenia;Reason=expli;Severity=low;SourceUser=orum;TargetUser=oinBCSed;GatewayStation=10.31.187.19;TicketID=ilm;PolicyID=mvel;UserName=eritq;LogonDomain=rehen4859.api.host;Address=eve234.www5.local;CPMStatus=nula;Port=2783;Database=lit;DeviceType=santi;ExtraDetails=ritati; -dip 2018-08-01 00:54:32.372538723 +0000 UTC idolo5292.local %CYBERARK: MessageID="89";Version=1.3175;Message=allow;Issuer=runtm;Station=10.41.232.147;File=psumd;Safe=oloree;Location=seos;Category=rios;RequestId=labo;Reason=lpaquiof;Severity=high;SourceUser=mcorpo;TargetUser=ntexpl;GatewayStation=10.61.175.217;TicketID=enbyCi;PolicyID=reetdo;UserName=tat;LogonDomain=eufugia4481.corp;Address=fficia2304.www5.home;CPMStatus=vel;Port=2396;Database=rere;DeviceType=pta;ExtraDetails=nonn; -August 15 07:57:06 volup %CYBERARK: MessageID="261";ptate 1.3830",ProductAccount="uisnos",ProductProcess="quamqua",EventId="ntut",EventClass="mag",EventSeverity="very-high",EventMessage="deny",ActingUserName="mini",ActingAddress="10.150.30.95",ActionSourceUser="tur",ActionTargetUser="atnonpr",ActionObject="ita",ActionSafe="amquaer",ActionLocation="aqui",ActionCategory="enby",ActionRequestId="lpa",ActionReason="isn",ActionExtraDetails="smod" -August 29 14:59:40 siuta %CYBERARK: MessageID="66";atev 1.6626",ProductAccount="CSe",ProductProcess="exerci",EventId="inesciu",EventClass="quid",EventSeverity="high",EventMessage="deny",ActingUserName="onse",ActingAddress="10.98.71.45",ActionSourceUser="destla",ActionTargetUser="fugitse",ActionObject="minimve",ActionSafe="serrorsi",ActionLocation="tametco",ActionCategory="mquisnos",ActionRequestId="lore",ActionReason="isci",ActionExtraDetails="Dui" -lup 2018-09-12 22:02:15.152538723 +0000 UTC iumtotam1010.www5.corp %CYBERARK: MessageID="168";userror 1.5986",ProductAccount="nonn",ProductProcess="hite",EventId="ianonnum",EventClass="nofdeFi",EventSeverity="medium",EventMessage="deny",ActingUserName="remq",ActingAddress="10.252.251.143",ActionSourceUser="velill",ActionTargetUser="rspic",ActionObject="orinrepr",ActionSafe="ror",ActionLocation="onsecte",ActionCategory="doei",ActionRequestId="nvolupta",ActionReason="tev",ActionExtraDetails="nre" -%CYBERARK: MessageID="274";lumdolor 1.4706",ProductAccount="eserun",ProductProcess="rvelill",EventId="lupta",EventClass="byC",EventSeverity="high",EventMessage="accept",ActingUserName="uta",ActingAddress="10.197.203.167",ActionSourceUser="ulapa",ActionTargetUser="iumdo",ActionObject="iusmodit",ActionSafe="aturv",ActionLocation="ectetura",ActionCategory="obeataev",ActionRequestId="umf",ActionReason="olesti",ActionExtraDetails="smo" -tDuis 2018-10-11 12:07:23.672538723 +0000 UTC iqu1643.www.host %CYBERARK: MessageID="96";inim 1.6806",ProductAccount="ibusBo",ProductProcess="untincu",EventId="tten",EventClass="etur",EventSeverity="low",EventMessage="accept",ActingUserName="enima",ActingAddress="10.187.170.23",ActionSourceUser="sequ",ActionTargetUser="sectetu",ActionObject="evi",ActionSafe="tionula",ActionLocation="accus",ActionCategory="uatu",ActionRequestId="mquis",ActionReason="lab",ActionExtraDetails="uido" -2018-10-25 19:09:57.932538723 +0000 UTC nimadmin5577.corp %CYBERARK: MessageID="61";Version=1.3824;Message=allow;Issuer=tinculpa;Station=10.123.62.215;File=rumSecti;Safe=riamea;Location=eca;Category=oluptate;RequestId=Duisa;Reason=consequa;Severity=low;SourceUser=iaecon;TargetUser=aevitaed;GatewayStation=10.250.248.215;TicketID=remap;PolicyID=deri;UserName=quaeratv;LogonDomain=involu1450.www.localhost;Address=udexerc2708.api.test;CPMStatus=odic;Port=505;Database=lica;DeviceType=secil;ExtraDetails=uisnos; -scipit 2018-11-09 02:12:32.192538723 +0000 UTC lloinve551.internal.local %CYBERARK: MessageID="372";Version=1.3759;Message=block;Issuer=isiutali;Station=10.146.57.23;File=evit;Safe=tno;Location=iss;Category=taspe;RequestId=lum;Reason=xerc;Severity=high;GatewayStation=10.147.154.118;TicketID=nvol;PolicyID=enimadmi;UserName=tateveli;LogonDomain=osa3211.www5.example;Address=temvele5776.www.test;CPMStatus=inimve;Port="864";Database=cin;DeviceType=tmo;ExtraDetails=onofdeF; -its 2018-11-23 09:15:06.452538723 +0000 UTC uptasnul2751.www5.corp %CYBERARK: MessageID="232";ostrudex 1.4542",ProductAccount="niamqui",ProductProcess="usmodite",EventId="tlabo",EventClass="tatemse",EventSeverity="very-high",EventMessage="cancel",ActingUserName="uamestqu",ActingAddress="10.193.33.201",ActionSourceUser="hender",ActionTargetUser="ptatemU",ActionObject="seq",ActionSafe="rumSe",ActionLocation="tatnonp",ActionCategory="ommo",ActionRequestId="adeser",ActionReason="uasiarc",ActionExtraDetails="doeiu" -2018-12-07 16:17:40.712538723 +0000 UTC atuserro6791.internal.host %CYBERARK: MessageID="24";upta 1.313",ProductAccount="onnumqua",ProductProcess="quioff",EventId="iuntN",EventClass="ipis",EventSeverity="low",EventMessage="block",ActingUserName="nesci",ActingAddress="10.154.172.82",ActionSourceUser="lorsi",ActionTargetUser="tetura",ActionObject="eeufug",ActionSafe="edutper",ActionLocation="tevelite",ActionCategory="tocca",ActionRequestId="orsitvol",ActionReason="ntor",ActionExtraDetails="oinBCSed" -%CYBERARK: MessageID="79";obeatae 1.1886",ProductAccount="midestl",ProductProcess="quatu",EventId="avolu",EventClass="teturad",EventSeverity="very-high",EventMessage="allow",ActingUserName="expl",ActingAddress="10.47.63.70",ActionSourceUser="lup",ActionTargetUser="tpers",ActionObject="orsitv",ActionSafe="temseq",ActionLocation="uisaute",ActionCategory="uun",ActionRequestId="end",ActionReason="odocons",ActionExtraDetails="olu" -January 5 06:22:49 amn %CYBERARK: MessageID="312";itessequ 1.5170",ProductAccount="fdeFinib",ProductProcess="uip",EventId="ectobea",EventClass="dat",EventSeverity="very-high",EventMessage="block",ActingUserName="turQuis",ActingAddress="10.178.160.245",ActionSourceUser="deomnisi",ActionTargetUser="olupta",ActionObject="oll",ActionSafe="laboree",ActionLocation="udantiu",ActionCategory="itametco",ActionRequestId="iav",ActionReason="odico",ActionExtraDetails="rsint" -January 19 13:25:23 quiav %CYBERARK: MessageID="77";Version=1.6648;Message=block;Issuer=Nem;Station=10.85.13.237;File=oluptat;Safe=enimad;Location=tis;Category=qua;RequestId=con;Reason=tore;Severity=high;SourceUser=quelaud;TargetUser=luptat;GatewayStation=10.89.154.115;TicketID=oeiusmo;PolicyID=nimv;UserName=emeu;LogonDomain=tatemac5192.www5.test;Address=teursint1321.www5.example;CPMStatus=lamcolab;Port=7024;Database=nturmag;DeviceType=uredol;ExtraDetails=maliqua; -2019-02-02 20:27:57.752538723 +0000 UTC omnisi5530.mail.example %CYBERARK: MessageID="308";Version=1.3387;Message=allow;Issuer=itame;Station=10.222.32.183;File=yCiceroi;Safe=nostrum;Location=orroquis;Category=eumi;RequestId=tvo;Reason=aea;Severity=low;SourceUser=mmo;TargetUser=eve;GatewayStation=10.65.207.234;TicketID=ciad;PolicyID=ugiatqu;UserName=eruntmo;LogonDomain=nimve2787.mail.test;Address=boreet2051.internal.localdomain;CPMStatus=iavo;Port=1644;Database=udexerc;DeviceType=ovolupta;ExtraDetails=volup; -rro 2019-02-17 03:30:32.012538723 +0000 UTC tuser6944.local %CYBERARK: MessageID="54";iarchite 1.1612",ProductAccount="oinven",ProductProcess="natu",EventId="edqu",EventClass="tationu",EventSeverity="high",EventMessage="cancel",ActingUserName="olore",ActingAddress="10.16.181.60",ActionSourceUser="ameaquei",ActionTargetUser="gnama",ActionObject="esciun",ActionSafe="tesse",ActionLocation="olupta",ActionCategory="isno",ActionRequestId="oluptas",ActionReason="nderiti",ActionExtraDetails="uatu" -orem 2019-03-03 10:33:06.272538723 +0000 UTC giatqu1484.internal.corp %CYBERARK: MessageID="208";oreseosq 1.2275",ProductAccount="uianon",ProductProcess="nul",EventId="onse",EventClass="sitam",EventSeverity="very-high",EventMessage="deny",ActingUserName="illoin",ActingAddress="10.91.213.82",ActionSourceUser="uid",ActionTargetUser="amnis",ActionObject="rvelil",ActionSafe="adese",ActionLocation="olorsi",ActionCategory="caboNemo",ActionRequestId="uptas",ActionReason="temaccus",ActionExtraDetails="ons" -2019-03-17 17:35:40.532538723 +0000 UTC oreeu3666.invalid %CYBERARK: MessageID="48";tis 1.6724",ProductAccount="eprehe",ProductProcess="tinvolup",EventId="iaeconse",EventClass="uisa",EventSeverity="medium",EventMessage="allow",ActingUserName="tdolo",ActingAddress="10.204.214.98",ActionSourceUser="iumt",ActionTargetUser="porissus",ActionObject="imip",ActionSafe="tsunt",ActionLocation="rnat",ActionCategory="oremi",ActionRequestId="ectobeat",ActionReason="ecte",ActionExtraDetails="abo" -%CYBERARK: MessageID="219";snos 1.5910",ProductAccount="moenimip",ProductProcess="uames",EventId="tium",EventClass="ianonn",EventSeverity="very-high",EventMessage="accept",ActingUserName="etc",ActingAddress="10.223.178.192",ActionSourceUser="atquovol",ActionTargetUser="evel",ActionObject="edol",ActionSafe="sequuntu",ActionLocation="quameius",ActionCategory="litse",ActionRequestId="san",ActionReason="apari",ActionExtraDetails="iarchit" -2019-04-15 07:40:49.052538723 +0000 UTC nsequat6724.www.invalid %CYBERARK: MessageID="183";Version=1.801;Message=cancel;Issuer=ati;Station=10.26.137.126;File=dolor;Safe=Mal;Location=ametcons;Category=tconse;RequestId=eumf;Reason=roquisq;Severity=medium;SourceUser=doconse;TargetUser=audant;GatewayStation=10.26.33.181;TicketID=remeum;PolicyID=mmod;UserName=taevit;LogonDomain=ama6820.mail.example;Address=umto3015.mail.lan;CPMStatus=sitv;Port=4667;Database=com;DeviceType=rep;ExtraDetails=mveni; -April 29 14:43:23 num %CYBERARK: MessageID="41";Version=1.10;Message=accept;Issuer=quaerat;Station=10.148.195.208;File=amnih;Safe=tper;Location=pisciv;Category=tconsect;RequestId=pariat;Reason=iutal;Severity=low;SourceUser=ctobeat;TargetUser=isi;GatewayStation=10.142.161.116;TicketID=eca;PolicyID=ctionofd;UserName=mpori;LogonDomain=olupt966.www5.corp;Address=etquasia1800.www.host;CPMStatus=nimip;Port=7612;Database=squamest;DeviceType=quisn;ExtraDetails=pteu; -velillum 2019-05-13 21:45:57.572538723 +0000 UTC ntNequ7639.internal.localdomain %CYBERARK: MessageID="270";Version=1.1026;Message=block;Issuer=itinvo;Station=10.107.24.54;File=emipsumq;Safe=culpaq;Location=quamq;Category=usan;RequestId=tdolo;Reason=ident;Severity=medium;SourceUser=itaedi;TargetUser=hend;GatewayStation=10.10.174.253;TicketID=esciun;PolicyID=tasnul;UserName=uptasn;LogonDomain=lit4112.www.localhost;Address=quisquam2153.mail.host;CPMStatus=dit;Port=2717;Database=lup;DeviceType=aeca;ExtraDetails=isau; -May 28 04:48:31 boreetd %CYBERARK: MessageID="309";tNe 1.2566",ProductAccount="eeufug",ProductProcess="ntin",EventId="iades",EventClass="radipis",EventSeverity="very-high",EventMessage="deny",ActingUserName="luptate",ActingAddress="10.87.92.17",ActionSourceUser="utlabore",ActionTargetUser="tamr",ActionObject="serr",ActionSafe="usci",ActionLocation="unturmag",ActionCategory="dexeaco",ActionRequestId="lupta",ActionReason="ura",ActionExtraDetails="oreeufug" -June 11 11:51:06 dolo %CYBERARK: MessageID="295";Version=1.5649;Message=deny;Issuer=Finibus;Station=10.161.51.135;File=porin;Safe=metMal;Location=ciati;Category=ecillum;RequestId=olor;Reason=amei;Severity=medium;SourceUser=quid;TargetUser=accus;GatewayStation=10.231.51.136;TicketID=ctobeat;PolicyID=upta;UserName=asper;LogonDomain=dictasun3408.internal.invalid;Address=secte1774.localhost;CPMStatus=iqui;Port=5200;Database=litani;DeviceType=emp;ExtraDetails=arch; -June 25 18:53:40 dipisciv %CYBERARK: MessageID="148";uam 1.2575",ProductAccount="llum",ProductProcess="mwr",EventId="cia",EventClass="idolo",EventSeverity="low",EventMessage="allow",ActingUserName="mquido",ActingAddress="10.51.17.32",ActionSourceUser="ree",ActionTargetUser="itten",ActionObject="quipexea",ActionSafe="orsitv",ActionLocation="dunt",ActionCategory="int",ActionRequestId="ionevo",ActionReason="llitani",ActionExtraDetails="uscipit" -etco 2019-07-10 01:56:14.612538723 +0000 UTC iuntN4077.www.invalid %CYBERARK: MessageID="260";isnostru 1.270",ProductAccount="mmodicon",ProductProcess="eetdo",EventId="mquisno",EventClass="atvolup",EventSeverity="medium",EventMessage="deny",ActingUserName="ollita",ActingAddress="10.108.123.148",ActionSourceUser="cto",ActionTargetUser="cusa",ActionObject="nderi",ActionSafe="tem",ActionLocation="tcu",ActionCategory="eumiu",ActionRequestId="nim",ActionReason="pteurs",ActionExtraDetails="ercitati" -July 24 08:58:48 eturadip %CYBERARK: MessageID="8";Version=1.425;Message=accept;Issuer=rsitamet;Station=10.114.0.148;File=utod;Safe=olesti;Location=edquia;Category=ihi;RequestId=undeomn;Reason=ape;Severity=medium;SourceUser=amco;TargetUser=ons;GatewayStation=10.198.187.144;TicketID=atquo;PolicyID=borio;UserName=equatD;LogonDomain=uidol6868.mail.localdomain;Address=uido2773.www5.test;CPMStatus=acons;Port=3820;Database=periam;DeviceType=ain;ExtraDetails=umiurer; -onorume 2019-08-07 16:01:23.132538723 +0000 UTC abill5290.lan %CYBERARK: MessageID="89";mini 1.7224",ProductAccount="loru",ProductProcess="iadeser",EventId="litess",EventClass="qui",EventSeverity="low",EventMessage="allow",ActingUserName="equa",ActingAddress="10.61.140.120",ActionSourceUser="olorsit",ActionTargetUser="naaliq",ActionObject="plica",ActionSafe="asiarc",ActionLocation="lor",ActionCategory="nvolupt",ActionRequestId="dquia",ActionReason="ora",ActionExtraDetails="umfugiat" -%CYBERARK: MessageID="36";Version=1.6988;Message=deny;Issuer=ite;Station=10.93.24.151;File=Duis;Safe=lupt;Location=quatur;Category=dminim;RequestId=ptatevel;Reason=aperiame;Severity=very-high;SourceUser=eirured;TargetUser=sequamn;GatewayStation=10.149.238.108;TicketID=ciatisun;PolicyID=duntutl;UserName=nven;LogonDomain=ptat4878.lan;Address=quame1852.www.test;CPMStatus=deomni;Port=4512;Database=fugi;DeviceType=nse;ExtraDetails=nesciu; -September 5 06:06:31 inrepreh %CYBERARK: MessageID="39";rit 1.6107",ProductAccount="cipitla",ProductProcess="tlab",EventId="vel",EventClass="ionevo",EventSeverity="high",EventMessage="accept",ActingUserName="uinesc",ActingAddress="10.101.45.225",ActionSourceUser="utla",ActionTargetUser="emi",ActionObject="uaerat",ActionSafe="iduntu",ActionLocation="samvol",ActionCategory="equa",ActionRequestId="apari",ActionReason="tsunt",ActionExtraDetails="caecat" -qui 2019-09-19 13:09:05.912538723 +0000 UTC caboN3124.mail.home %CYBERARK: MessageID="8";catcupid 1.3167",ProductAccount="quela",ProductProcess="uamquaer",EventId="texplica",EventClass="enimi",EventSeverity="low",EventMessage="cancel",ActingUserName="ore",ActingAddress="10.2.204.161",ActionSourceUser="iquamqu",ActionTargetUser="eumfugia",ActionObject="reeufugi",ActionSafe="sequines",ActionLocation="minimve",ActionCategory="texplica",ActionRequestId="entorev",ActionReason="quuntur",ActionExtraDetails="olup" -les 2019-10-03 20:11:40.172538723 +0000 UTC norumet2571.internal.example %CYBERARK: MessageID="89";temp 1.6971",ProductAccount="aliqu",ProductProcess="sequine",EventId="utaliqui",EventClass="isciv",EventSeverity="very-high",EventMessage="cancel",ActingUserName="ptatemse",ActingAddress="10.33.112.100",ActionSourceUser="catcup",ActionTargetUser="enimad",ActionObject="magnaali",ActionSafe="velillum",ActionLocation="ionev",ActionCategory="vitaedi",ActionRequestId="rna",ActionReason="cons",ActionExtraDetails="Except" -%CYBERARK: MessageID="95";Version=1.3175;Message=block;Issuer=neavol;Station=10.94.152.238;File=rporiss;Safe=billoinv;Location=etconse;Category=nesciu;RequestId=mali;Reason=roinBCSe;Severity=very-high;SourceUser=uames;TargetUser=tla;GatewayStation=10.151.110.250;TicketID=psa;PolicyID=nreprehe;UserName=pidatatn;LogonDomain=isno4595.local;Address=lla5407.lan;CPMStatus=upt;Port=4762;Database=itaedict;DeviceType=eroi;ExtraDetails=onemull; -mporain 2019-11-01 10:16:48.692538723 +0000 UTC eratvo7756.localdomain %CYBERARK: MessageID="179";Version=1.4965;Message=allow;Issuer=alorumwr;Station=10.146.61.5;File=tvolu;Safe=imve;Location=ollitan;Category=temseq;RequestId=vol;Reason=loremips;Severity=high;SourceUser=eturadi;TargetUser=umS;GatewayStation=10.77.9.17;TicketID=henderi;PolicyID=taevitae;UserName=tevel;LogonDomain=tatemse5403.home;Address=iquipexe4708.api.localhost;CPMStatus=quuntur;Port=5473;Database=amremap;DeviceType=oremagna;ExtraDetails=aqu; -%CYBERARK: MessageID="83";tvolu 1.2244",ProductAccount="ore",ProductProcess="lors",EventId="saute",EventClass="ecillumd",EventSeverity="high",EventMessage="allow",ActingUserName="sequatu",ActingAddress="10.128.102.130",ActionSourceUser="mdoloree",ActionTargetUser="que",ActionObject="inBCSed",ActionSafe="cteturad",ActionLocation="umq",ActionCategory="ita",ActionRequestId="ipsaquae",ActionReason="olu",ActionExtraDetails="exerci" -2019-11-30 00:21:57.212538723 +0000 UTC moen6809.internal.example %CYBERARK: MessageID="150";Version=1.7701;Message=cancel;Issuer=reseo;Station=10.31.86.83;File=pariat;Safe=icaboNe;Location=boreetd;Category=uir;RequestId=rumex;Reason=ectobea;Severity=medium;SourceUser=tamrem;TargetUser=doloremi;GatewayStation=10.200.162.248;TicketID=uptate;PolicyID=giatquo;UserName=onnu;LogonDomain=reprehe650.www.corp;Address=oremip4070.www5.invalid;CPMStatus=turad;Port=1704;Database=billo;DeviceType=doloremi;ExtraDetails=ectetura; -%CYBERARK: MessageID="166";cul 1.3325",ProductAccount="atatn",ProductProcess="ipisc",EventId="iatnulap",EventClass="roi",EventSeverity="high",EventMessage="allow",ActingUserName="volup",ActingAddress="10.103.215.159",ActionSourceUser="ddoeiusm",ActionTargetUser="apa",ActionObject="archite",ActionSafe="tur",ActionLocation="ddo",ActionCategory="emp",ActionRequestId="inBC",ActionReason="did",ActionExtraDetails="atcupi" diff --git a/x-pack/filebeat/module/cyberark/corepas/test/generated.log-expected.json b/x-pack/filebeat/module/cyberark/corepas/test/generated.log-expected.json deleted file mode 100644 index 6df370af4bbc..000000000000 --- a/x-pack/filebeat/module/cyberark/corepas/test/generated.log-expected.json +++ /dev/null @@ -1,5584 +0,0 @@ -[ - { - "event.action": "allow", - "event.code": "ria", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "2016-01-29 06:09:59.732538723 +0000 UTC eacommod1428.lan %CYBERARK: MessageID=\"188\";exercita 1.1332\",ProductAccount=\"itv\",ProductProcess=\"odoco\",EventId=\"ria\",EventClass=\"min\",EventSeverity=\"low\",EventMessage=\"allow\",ActingUserName=\"utl\",ActingAddress=\"10.208.15.216\",ActionSourceUser=\"tation\",ActionTargetUser=\"quasiarc\",ActionObject=\"liqua\",ActionSafe=\"ciade\",ActionLocation=\"turadipi\",ActionCategory=\"aeca\",ActionRequestId=\"idi\",ActionReason=\"pexe\",ActionExtraDetails=\"nes\"", - "file.directory": "turadipi", - "file.name": "liqua", - "fileset.name": "corepas", - "host.ip": "10.208.15.216", - "input.type": "log", - "log.level": "low", - "log.offset": 0, - "observer.product": "exercita", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.1332", - "related.ip": [ - "10.208.15.216" - ], - "related.user": [ - "itv", - "quasiarc", - "utl" - ], - "rsa.db.index": "nes", - "rsa.internal.event_desc": "pexe", - "rsa.internal.messageid": "188", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.category": "aeca", - "rsa.misc.group_object": "ciade", - "rsa.misc.reference_id": "ria", - "rsa.misc.reference_id1": "idi", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.1332", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "utl" - }, - { - "destination.address": "volup208.invalid", - "destination.port": 5191, - "event.action": "block", - "event.code": "168", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "%CYBERARK: MessageID=\"168\";Version=1.259;Message=block;Issuer=dolore;Station=10.92.136.230;File=ritquiin;Safe=umqui;Location=reeufugi;Category=mdolo;RequestId=mqui;Reason=nci;Severity=very-high;SourceUser=litesse;TargetUser=orev;GatewayStation=10.175.75.18;TicketID=deF;PolicyID=sist;UserName=nnumqu;LogonDomain=iatnu3810.mail.localdomain;Address=volup208.invalid;CPMStatus=eosquir;Port=5191;Database=umdo;DeviceType=itessequ;ExtraDetails=vol;", - "file.directory": "reeufugi", - "file.name": "ritquiin", - "fileset.name": "corepas", - "group.name": "litesse", - "host.ip": "10.92.136.230", - "input.type": "log", - "log.level": "very-high", - "log.offset": 477, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.259", - "related.hosts": [ - "iatnu3810.mail.localdomain", - "volup208.invalid" - ], - "related.ip": [ - "10.175.75.18", - "10.92.136.230" - ], - "related.user": [ - "dolore", - "nnumqu", - "orev" - ], - "rsa.db.database": "umdo", - "rsa.db.index": "vol", - "rsa.internal.event_desc": "nci", - "rsa.internal.messageid": "168", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.category": "mdolo", - "rsa.misc.disposition": "eosquir", - "rsa.misc.group": "litesse", - "rsa.misc.group_object": "umqui", - "rsa.misc.obj_type": "itessequ", - "rsa.misc.operation_id": "deF", - "rsa.misc.policy_name": "sist", - "rsa.misc.reference_id": "168", - "rsa.misc.reference_id1": "mqui", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.259", - "rsa.network.domain": "iatnu3810.mail.localdomain", - "rsa.network.host_dst": "volup208.invalid", - "server.domain": "iatnu3810.mail.localdomain", - "server.registered_domain": "mail.localdomain", - "server.subdomain": "iatnu3810", - "server.top_level_domain": "localdomain", - "service.type": "cyberark", - "source.ip": [ - "10.175.75.18" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "dolore" - }, - { - "destination.address": "tetu5280.www5.invalid", - "destination.port": 2548, - "event.action": "accept", - "event.code": "26", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "nibus 2016-02-26 20:15:08.252538723 +0000 UTC mipsumq3879.internal.localdomain %CYBERARK: MessageID=\"26\";Version=1.7269;Message=accept;Issuer=incid;Station=10.51.132.10;File=utper;Safe=squame;Location=ntex;Category=eius;RequestId=luptat;Reason=emape;Severity=low;SourceUser=incidi;TargetUser=nse;GatewayStation=10.46.185.46;TicketID=temvel;PolicyID=iatu;UserName=serror;LogonDomain=anti4454.api.example;Address=tetu5280.www5.invalid;CPMStatus=tionulam;Port=2548;Database=byC;DeviceType=tinculp;ExtraDetails=tur;", - "file.directory": "ntex", - "file.name": "utper", - "fileset.name": "corepas", - "group.name": "incidi", - "host.ip": "10.51.132.10", - "input.type": "log", - "log.level": "low", - "log.offset": 921, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.7269", - "related.hosts": [ - "anti4454.api.example", - "tetu5280.www5.invalid" - ], - "related.ip": [ - "10.46.185.46", - "10.51.132.10" - ], - "related.user": [ - "incid", - "nse", - "serror" - ], - "rsa.db.database": "byC", - "rsa.db.index": "tur", - "rsa.internal.event_desc": "emape", - "rsa.internal.messageid": "26", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.category": "eius", - "rsa.misc.disposition": "tionulam", - "rsa.misc.group": "incidi", - "rsa.misc.group_object": "squame", - "rsa.misc.obj_type": "tinculp", - "rsa.misc.operation_id": "temvel", - "rsa.misc.policy_name": "iatu", - "rsa.misc.reference_id": "26", - "rsa.misc.reference_id1": "luptat", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.7269", - "rsa.network.domain": "anti4454.api.example", - "rsa.network.host_dst": "tetu5280.www5.invalid", - "server.domain": "anti4454.api.example", - "server.registered_domain": "api.example", - "server.subdomain": "anti4454", - "server.top_level_domain": "example", - "service.type": "cyberark", - "source.ip": [ - "10.46.185.46" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "incid" - }, - { - "destination.address": "llu4762.mail.localdomain", - "destination.port": 5695, - "event.action": "deny", - "event.code": "184", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "2016-03-12 03:17:42.512538723 +0000 UTC minim7868.www5.localdomain %CYBERARK: MessageID=\"184\";Version=1.6713;Message=deny;Issuer=psumquia;Station=10.53.192.140;File=con;Safe=uia;Location=quiavo;Category=issusci;RequestId=mol;Reason=taspe;Severity=high;SourceUser=psumq;TargetUser=atcup;GatewayStation=10.155.236.240;TicketID=tatno;PolicyID=dquiac;UserName=ptass;LogonDomain=uam6303.api.lan;Address=llu4762.mail.localdomain;CPMStatus=scivel;Port=5695;Database=aperi;DeviceType=iveli;ExtraDetails=llumd;", - "file.directory": "quiavo", - "file.name": "con", - "fileset.name": "corepas", - "group.name": "psumq", - "host.ip": "10.53.192.140", - "input.type": "log", - "log.level": "high", - "log.offset": 1433, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.6713", - "related.hosts": [ - "llu4762.mail.localdomain", - "uam6303.api.lan" - ], - "related.ip": [ - "10.155.236.240", - "10.53.192.140" - ], - "related.user": [ - "atcup", - "psumquia", - "ptass" - ], - "rsa.db.database": "aperi", - "rsa.db.index": "llumd", - "rsa.internal.event_desc": "taspe", - "rsa.internal.messageid": "184", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.category": "issusci", - "rsa.misc.disposition": "scivel", - "rsa.misc.group": "psumq", - "rsa.misc.group_object": "uia", - "rsa.misc.obj_type": "iveli", - "rsa.misc.operation_id": "tatno", - "rsa.misc.policy_name": "dquiac", - "rsa.misc.reference_id": "184", - "rsa.misc.reference_id1": "mol", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.6713", - "rsa.network.domain": "uam6303.api.lan", - "rsa.network.host_dst": "llu4762.mail.localdomain", - "server.domain": "uam6303.api.lan", - "server.registered_domain": "api.lan", - "server.subdomain": "uam6303", - "server.top_level_domain": "lan", - "service.type": "cyberark", - "source.ip": [ - "10.155.236.240" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "psumquia" - }, - { - "event.action": "cancel", - "event.code": "rmagni", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "%CYBERARK: MessageID=\"161\";emaper 1.2638\",ProductAccount=\"eos\",ProductProcess=\"enimad\",EventId=\"rmagni\",EventClass=\"sit\",EventSeverity=\"medium\",EventMessage=\"cancel\",ActingUserName=\"oremips\",ActingAddress=\"10.81.199.122\",ActionSourceUser=\"aquaeabi\",ActionTargetUser=\"giatq\",ActionObject=\"quid\",ActionSafe=\"fug\",ActionLocation=\"uatDuis\",ActionCategory=\"ude\",ActionRequestId=\"maveniam\",ActionReason=\"uian\",ActionExtraDetails=\"tempo\"", - "file.directory": "uatDuis", - "file.name": "quid", - "fileset.name": "corepas", - "host.ip": "10.81.199.122", - "input.type": "log", - "log.level": "medium", - "log.offset": 1935, - "observer.product": "emaper", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.2638", - "related.ip": [ - "10.81.199.122" - ], - "related.user": [ - "eos", - "giatq", - "oremips" - ], - "rsa.db.index": "tempo", - "rsa.internal.event_desc": "uian", - "rsa.internal.messageid": "161", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "ude", - "rsa.misc.group_object": "fug", - "rsa.misc.reference_id": "rmagni", - "rsa.misc.reference_id1": "maveniam", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.2638", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "oremips" - }, - { - "destination.address": "aquaeab2275.www5.domain", - "destination.port": 4091, - "event.action": "deny", - "event.code": "139", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "eetd 2016-04-09 17:22:51.032538723 +0000 UTC eip1448.internal.local %CYBERARK: MessageID=\"139\";Version=1.3491;Message=deny;Issuer=tcupida;Station=10.139.186.201;File=ect;Safe=reetdolo;Location=nrepreh;Category=obeataev;RequestId=lor;Reason=uidexea;Severity=medium;SourceUser=natura;TargetUser=aboris;GatewayStation=10.172.14.142;TicketID=ssitaspe;PolicyID=gitsedqu;UserName=uam;LogonDomain=temq1198.internal.example;Address=aquaeab2275.www5.domain;CPMStatus=ehend;Port=4091;Database=isiu;DeviceType=nimadmi;ExtraDetails=iatisu;", - "file.directory": "nrepreh", - "file.name": "ect", - "fileset.name": "corepas", - "group.name": "natura", - "host.ip": "10.139.186.201", - "input.type": "log", - "log.level": "medium", - "log.offset": 2366, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.3491", - "related.hosts": [ - "aquaeab2275.www5.domain", - "temq1198.internal.example" - ], - "related.ip": [ - "10.139.186.201", - "10.172.14.142" - ], - "related.user": [ - "aboris", - "tcupida", - "uam" - ], - "rsa.db.database": "isiu", - "rsa.db.index": "iatisu", - "rsa.internal.event_desc": "uidexea", - "rsa.internal.messageid": "139", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.category": "obeataev", - "rsa.misc.disposition": "ehend", - "rsa.misc.group": "natura", - "rsa.misc.group_object": "reetdolo", - "rsa.misc.obj_type": "nimadmi", - "rsa.misc.operation_id": "ssitaspe", - "rsa.misc.policy_name": "gitsedqu", - "rsa.misc.reference_id": "139", - "rsa.misc.reference_id1": "lor", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.3491", - "rsa.network.domain": "temq1198.internal.example", - "rsa.network.host_dst": "aquaeab2275.www5.domain", - "server.domain": "temq1198.internal.example", - "server.registered_domain": "internal.example", - "server.subdomain": "temq1198", - "server.top_level_domain": "example", - "service.type": "cyberark", - "source.ip": [ - "10.172.14.142" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "tcupida" - }, - { - "destination.address": "amquisno3338.www5.lan", - "destination.port": 776, - "event.action": "accept", - "event.code": "106", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "%CYBERARK: MessageID=\"106\";Version=1.6875;Message=accept;Issuer=ipis;Station=10.47.76.251;File=eataevit;Safe=uptatev;Location=uovol;Category=dmi;RequestId=olab;Reason=mquisnos;Severity=medium;SourceUser=ore;TargetUser=etconsec;GatewayStation=10.104.111.129;TicketID=mUt;PolicyID=usmodte;UserName=ele;LogonDomain=tenbyCic5882.api.home;Address=amquisno3338.www5.lan;CPMStatus=nonnu;Port=776;Database=riat;DeviceType=luptatem;ExtraDetails=umdolor;", - "file.directory": "uovol", - "file.name": "eataevit", - "fileset.name": "corepas", - "group.name": "ore", - "host.ip": "10.47.76.251", - "input.type": "log", - "log.level": "medium", - "log.offset": 2894, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.6875", - "related.hosts": [ - "amquisno3338.www5.lan", - "tenbyCic5882.api.home" - ], - "related.ip": [ - "10.104.111.129", - "10.47.76.251" - ], - "related.user": [ - "ele", - "etconsec", - "ipis" - ], - "rsa.db.database": "riat", - "rsa.db.index": "umdolor", - "rsa.internal.event_desc": "mquisnos", - "rsa.internal.messageid": "106", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.category": "dmi", - "rsa.misc.disposition": "nonnu", - "rsa.misc.group": "ore", - "rsa.misc.group_object": "uptatev", - "rsa.misc.obj_type": "luptatem", - "rsa.misc.operation_id": "mUt", - "rsa.misc.policy_name": "usmodte", - "rsa.misc.reference_id": "106", - "rsa.misc.reference_id1": "olab", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.6875", - "rsa.network.domain": "tenbyCic5882.api.home", - "rsa.network.host_dst": "amquisno3338.www5.lan", - "server.domain": "tenbyCic5882.api.home", - "server.registered_domain": "api.home", - "server.subdomain": "tenbyCic5882", - "server.top_level_domain": "home", - "service.type": "cyberark", - "source.ip": [ - "10.104.111.129" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "ipis" - }, - { - "event.action": "deny", - "event.code": "ofdeF", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "inB 2016-05-08 07:27:59.552538723 +0000 UTC deomni124.www.example %CYBERARK: MessageID=\"74\";tae 1.1382\",ProductAccount=\"animi\",ProductProcess=\"oluptate\",EventId=\"ofdeF\",EventClass=\"tion\",EventSeverity=\"very-high\",EventMessage=\"deny\",ActingUserName=\"quiratio\",ActingAddress=\"10.116.120.216\",ActionSourceUser=\"qua\",ActionTargetUser=\"umdo\",ActionObject=\"sed\",ActionSafe=\"apariat\",ActionLocation=\"mol\",ActionCategory=\"pteursi\",ActionRequestId=\"onse\",ActionReason=\"rumet\",ActionExtraDetails=\"oll\"", - "file.directory": "mol", - "file.name": "sed", - "fileset.name": "corepas", - "host.ip": "10.116.120.216", - "input.type": "log", - "log.level": "very-high", - "log.offset": 3339, - "observer.product": "tae", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.1382", - "related.ip": [ - "10.116.120.216" - ], - "related.user": [ - "animi", - "quiratio", - "umdo" - ], - "rsa.db.index": "oll", - "rsa.internal.event_desc": "rumet", - "rsa.internal.messageid": "74", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.category": "pteursi", - "rsa.misc.group_object": "apariat", - "rsa.misc.reference_id": "ofdeF", - "rsa.misc.reference_id1": "onse", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.1382", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "quiratio" - }, - { - "destination.address": "idolores3839.localdomain", - "destination.port": 2424, - "event.action": "cancel", - "event.code": "144", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "Ciceroi 2016-05-22 14:30:33.812538723 +0000 UTC aveniam1436.www.test %CYBERARK: MessageID=\"144\";Version=1.5529;Message=cancel;Issuer=taevi;Station=10.62.54.220;File=ehenderi;Safe=pidatat;Location=gni;Category=tquiinea;RequestId=mquaera;Reason=dun;Severity=medium;SourceUser=Duisau;TargetUser=psum;GatewayStation=10.57.40.29;TicketID=undeo;PolicyID=loremip;UserName=rnatura;LogonDomain=isqu7224.localdomain;Address=idolores3839.localdomain;CPMStatus=metcon;Port=2424;Database=emeumfug;DeviceType=upta;ExtraDetails=omn;", - "file.directory": "gni", - "file.name": "ehenderi", - "fileset.name": "corepas", - "group.name": "Duisau", - "host.ip": "10.62.54.220", - "input.type": "log", - "log.level": "medium", - "log.offset": 3831, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.5529", - "related.hosts": [ - "idolores3839.localdomain", - "isqu7224.localdomain" - ], - "related.ip": [ - "10.57.40.29", - "10.62.54.220" - ], - "related.user": [ - "psum", - "rnatura", - "taevi" - ], - "rsa.db.database": "emeumfug", - "rsa.db.index": "omn", - "rsa.internal.event_desc": "dun", - "rsa.internal.messageid": "144", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "tquiinea", - "rsa.misc.disposition": "metcon", - "rsa.misc.group": "Duisau", - "rsa.misc.group_object": "pidatat", - "rsa.misc.obj_type": "upta", - "rsa.misc.operation_id": "undeo", - "rsa.misc.policy_name": "loremip", - "rsa.misc.reference_id": "144", - "rsa.misc.reference_id1": "mquaera", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.5529", - "rsa.network.domain": "isqu7224.localdomain", - "rsa.network.host_dst": "idolores3839.localdomain", - "server.domain": "isqu7224.localdomain", - "server.registered_domain": "isqu7224.localdomain", - "server.top_level_domain": "localdomain", - "service.type": "cyberark", - "source.ip": [ - "10.57.40.29" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "taevi" - }, - { - "event.action": "cancel", - "event.code": "nibus", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "ons 2016-06-05 21:33:08.072538723 +0000 UTC tessec3539.home %CYBERARK: MessageID=\"240\";nsect 1.6476\",ProductAccount=\"tnon\",ProductProcess=\"ionul\",EventId=\"nibus\",EventClass=\"edquiano\",EventSeverity=\"medium\",EventMessage=\"cancel\",ActingUserName=\"ema\",ActingAddress=\"10.74.237.180\",ActionSourceUser=\"nsequu\",ActionTargetUser=\"cup\",ActionObject=\"boNemoen\",ActionSafe=\"uid\",ActionLocation=\"rors\",ActionCategory=\"onofd\",ActionRequestId=\"taed\",ActionReason=\"lup\",ActionExtraDetails=\"remeumf\"", - "file.directory": "rors", - "file.name": "boNemoen", - "fileset.name": "corepas", - "host.ip": "10.74.237.180", - "input.type": "log", - "log.level": "medium", - "log.offset": 4349, - "observer.product": "nsect", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.6476", - "related.ip": [ - "10.74.237.180" - ], - "related.user": [ - "cup", - "ema", - "tnon" - ], - "rsa.db.index": "remeumf", - "rsa.internal.event_desc": "lup", - "rsa.internal.messageid": "240", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "onofd", - "rsa.misc.group_object": "uid", - "rsa.misc.reference_id": "nibus", - "rsa.misc.reference_id1": "taed", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.6476", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "ema" - }, - { - "event.action": "allow", - "event.code": "ido", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "2016-06-20 04:35:42.332538723 +0000 UTC sectetur3333.mail.example %CYBERARK: MessageID=\"61\";edqui 1.7780\",ProductAccount=\"lor\",ProductProcess=\"fugit\",EventId=\"ido\",EventClass=\"paqu\",EventSeverity=\"high\",EventMessage=\"allow\",ActingUserName=\"remeum\",ActingAddress=\"10.18.165.35\",ActionSourceUser=\"admi\",ActionTargetUser=\"modocons\",ActionObject=\"elaudant\",ActionSafe=\"tinvol\",ActionLocation=\"dolore\",ActionCategory=\"abor\",ActionRequestId=\"iqui\",ActionReason=\"etc\",ActionExtraDetails=\"etM\"", - "file.directory": "dolore", - "file.name": "elaudant", - "fileset.name": "corepas", - "host.ip": "10.18.165.35", - "input.type": "log", - "log.level": "high", - "log.offset": 4835, - "observer.product": "edqui", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.7780", - "related.ip": [ - "10.18.165.35" - ], - "related.user": [ - "lor", - "modocons", - "remeum" - ], - "rsa.db.index": "etM", - "rsa.internal.event_desc": "etc", - "rsa.internal.messageid": "61", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.category": "abor", - "rsa.misc.group_object": "tinvol", - "rsa.misc.reference_id": "ido", - "rsa.misc.reference_id1": "iqui", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.7780", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "remeum" - }, - { - "event.action": "deny", - "event.code": "itaut", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "2016-07-04 11:38:16.592538723 +0000 UTC xercitat4824.local %CYBERARK: MessageID=\"90\";ostr 1.4979\",ProductAccount=\"onproide\",ProductProcess=\"luptat\",EventId=\"itaut\",EventClass=\"imaven\",EventSeverity=\"high\",EventMessage=\"deny\",ActingUserName=\"tema\",ActingAddress=\"10.74.253.127\",ActionSourceUser=\"tfug\",ActionTargetUser=\"icab\",ActionObject=\"mwr\",ActionSafe=\"fugi\",ActionLocation=\"inculpaq\",ActionCategory=\"agna\",ActionRequestId=\"tionemu\",ActionReason=\"eomnisis\",ActionExtraDetails=\"mqui\"", - "file.directory": "inculpaq", - "file.name": "mwr", - "fileset.name": "corepas", - "host.ip": "10.74.253.127", - "input.type": "log", - "log.level": "high", - "log.offset": 5321, - "observer.product": "ostr", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.4979", - "related.ip": [ - "10.74.253.127" - ], - "related.user": [ - "icab", - "onproide", - "tema" - ], - "rsa.db.index": "mqui", - "rsa.internal.event_desc": "eomnisis", - "rsa.internal.messageid": "90", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.category": "agna", - "rsa.misc.group_object": "fugi", - "rsa.misc.reference_id": "itaut", - "rsa.misc.reference_id1": "tionemu", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.4979", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "tema" - }, - { - "destination.address": "Lor5841.internal.example", - "destination.port": 3075, - "event.action": "block", - "event.code": "385", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "errorsi 2016-07-18 18:40:50.852538723 +0000 UTC des5377.lan %CYBERARK: MessageID=\"385\";Version=1.1697;Message=block;Issuer=ono;Station=10.189.109.245;File=emaperi;Safe=tame;Location=\"tinvol\";Category=tectobe;RequestId=colabor;Reason=iusmodt;Severity=medium;GatewayStation=10.92.8.15;TicketID=agnaali;PolicyID=llitani;UserName=inima;LogonDomain=tlabo6088.www.localdomain;Address=Lor5841.internal.example;CPMStatus=sunt;Port=\"3075\";Database=uines;DeviceType=nsec;ExtraDetails=onse", - "file.directory": "tinvol", - "file.name": "emaperi", - "fileset.name": "corepas", - "host.ip": "10.189.109.245", - "input.type": "log", - "log.level": "medium", - "log.offset": 5807, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.1697", - "related.hosts": [ - "Lor5841.internal.example", - "tlabo6088.www.localdomain" - ], - "related.ip": [ - "10.189.109.245", - "10.92.8.15" - ], - "related.user": [ - "inima", - "ono" - ], - "rsa.db.database": "uines", - "rsa.db.index": "onse", - "rsa.internal.event_desc": "iusmodt", - "rsa.internal.messageid": "385", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.category": "tectobe", - "rsa.misc.disposition": "sunt", - "rsa.misc.group_object": "tame", - "rsa.misc.obj_type": "nsec", - "rsa.misc.operation_id": "agnaali", - "rsa.misc.policy_name": "llitani", - "rsa.misc.reference_id": "385", - "rsa.misc.reference_id1": "colabor", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.1697", - "rsa.network.domain": "tlabo6088.www.localdomain", - "rsa.network.host_dst": "Lor5841.internal.example", - "server.domain": "tlabo6088.www.localdomain", - "server.registered_domain": "www.localdomain", - "server.subdomain": "tlabo6088", - "server.top_level_domain": "localdomain", - "service.type": "cyberark", - "source.ip": [ - "10.92.8.15" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "ono" - }, - { - "event.action": "accept", - "event.code": "tisetq", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "August 2 01:43:25 tat %CYBERARK: MessageID=\"190\";tion 1.1761\",ProductAccount=\"upt\",ProductProcess=\"uiineavo\",EventId=\"tisetq\",EventClass=\"irati\",EventSeverity=\"low\",EventMessage=\"accept\",ActingUserName=\"giatquov\",ActingAddress=\"10.21.78.128\",ActionSourceUser=\"riat\",ActionTargetUser=\"taut\",ActionObject=\"oreseos\",ActionSafe=\"uames\",ActionLocation=\"tati\",ActionCategory=\"utaliqu\",ActionRequestId=\"oriosamn\",ActionReason=\"deFinibu\",ActionExtraDetails=\"iadese\"", - "file.directory": "tati", - "file.name": "oreseos", - "fileset.name": "corepas", - "host.ip": "10.21.78.128", - "input.type": "log", - "log.level": "low", - "log.offset": 6286, - "observer.product": "tion", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.1761", - "related.ip": [ - "10.21.78.128" - ], - "related.user": [ - "giatquov", - "taut", - "upt" - ], - "rsa.db.index": "iadese", - "rsa.internal.event_desc": "deFinibu", - "rsa.internal.messageid": "190", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.category": "utaliqu", - "rsa.misc.group_object": "uames", - "rsa.misc.reference_id": "tisetq", - "rsa.misc.reference_id1": "oriosamn", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.1761", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "giatquov" - }, - { - "event.action": "deny", - "event.code": "suntinc", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "%CYBERARK: MessageID=\"256\";eporroqu 1.4200\",ProductAccount=\"hil\",ProductProcess=\"atquovo\",EventId=\"suntinc\",EventClass=\"xeac\",EventSeverity=\"medium\",EventMessage=\"deny\",ActingUserName=\"tatn\",ActingAddress=\"10.18.109.121\",ActionSourceUser=\"ents\",ActionTargetUser=\"pida\",ActionObject=\"nse\",ActionSafe=\"sinto\",ActionLocation=\"emoeni\",ActionCategory=\"oenimips\",ActionRequestId=\"utlabore\",ActionReason=\"ecillu\",ActionExtraDetails=\"quip\"", - "file.directory": "emoeni", - "file.name": "nse", - "fileset.name": "corepas", - "host.ip": "10.18.109.121", - "input.type": "log", - "log.level": "medium", - "log.offset": 6744, - "observer.product": "eporroqu", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.4200", - "related.ip": [ - "10.18.109.121" - ], - "related.user": [ - "hil", - "pida", - "tatn" - ], - "rsa.db.index": "quip", - "rsa.internal.event_desc": "ecillu", - "rsa.internal.messageid": "256", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.category": "oenimips", - "rsa.misc.group_object": "sinto", - "rsa.misc.reference_id": "suntinc", - "rsa.misc.reference_id1": "utlabore", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.4200", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "tatn" - }, - { - "destination.address": "rpo79.mail.example", - "destination.port": 2289, - "event.action": "cancel", - "event.code": "105", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "%CYBERARK: MessageID=\"105\";Version=1.3727;Message=cancel;Issuer=iunt;Station=10.63.37.192;File=tio;Safe=orinrepr;Location=conse;Category=rumetM;RequestId=equi;Reason=agnaali;Severity=medium;SourceUser=sitvolup;TargetUser=reetd;GatewayStation=10.225.115.13;TicketID=maccusa;PolicyID=uptat;UserName=equep;LogonDomain=iavolu5352.localhost;Address=rpo79.mail.example;CPMStatus=siarchi;Port=2289;Database=aliqu;DeviceType=olupta;ExtraDetails=mipsumd;", - "file.directory": "conse", - "file.name": "tio", - "fileset.name": "corepas", - "group.name": "sitvolup", - "host.ip": "10.63.37.192", - "input.type": "log", - "log.level": "medium", - "log.offset": 7176, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.3727", - "related.hosts": [ - "iavolu5352.localhost", - "rpo79.mail.example" - ], - "related.ip": [ - "10.225.115.13", - "10.63.37.192" - ], - "related.user": [ - "equep", - "iunt", - "reetd" - ], - "rsa.db.database": "aliqu", - "rsa.db.index": "mipsumd", - "rsa.internal.event_desc": "agnaali", - "rsa.internal.messageid": "105", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "rumetM", - "rsa.misc.disposition": "siarchi", - "rsa.misc.group": "sitvolup", - "rsa.misc.group_object": "orinrepr", - "rsa.misc.obj_type": "olupta", - "rsa.misc.operation_id": "maccusa", - "rsa.misc.policy_name": "uptat", - "rsa.misc.reference_id": "105", - "rsa.misc.reference_id1": "equi", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.3727", - "rsa.network.domain": "iavolu5352.localhost", - "rsa.network.host_dst": "rpo79.mail.example", - "server.domain": "iavolu5352.localhost", - "server.registered_domain": "iavolu5352.localhost", - "server.top_level_domain": "localhost", - "service.type": "cyberark", - "source.ip": [ - "10.225.115.13" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "iunt" - }, - { - "destination.address": "tionof7613.domain", - "destination.port": 2335, - "event.action": "deny", - "event.code": "105", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "remi 2016-09-13 22:51:07.892538723 +0000 UTC saute7154.internal.lan %CYBERARK: MessageID=\"105\";Version=1.3219;Message=deny;Issuer=run;Station=10.47.202.102;File=quirat;Safe=llu;Location=licab;Category=eirure;RequestId=conseq;Reason=oidentsu;Severity=medium;SourceUser=aaliquaU;TargetUser=ntor;GatewayStation=10.95.64.124;TicketID=psaquae;PolicyID=ationemu;UserName=ice;LogonDomain=estiae3750.api.corp;Address=tionof7613.domain;CPMStatus=lapari;Port=2335;Database=ite;DeviceType=ationul;ExtraDetails=iquipex;", - "file.directory": "licab", - "file.name": "quirat", - "fileset.name": "corepas", - "group.name": "aaliquaU", - "host.ip": "10.47.202.102", - "input.type": "log", - "log.level": "medium", - "log.offset": 7622, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.3219", - "related.hosts": [ - "estiae3750.api.corp", - "tionof7613.domain" - ], - "related.ip": [ - "10.47.202.102", - "10.95.64.124" - ], - "related.user": [ - "ice", - "ntor", - "run" - ], - "rsa.db.database": "ite", - "rsa.db.index": "iquipex", - "rsa.internal.event_desc": "oidentsu", - "rsa.internal.messageid": "105", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.category": "eirure", - "rsa.misc.disposition": "lapari", - "rsa.misc.group": "aaliquaU", - "rsa.misc.group_object": "llu", - "rsa.misc.obj_type": "ationul", - "rsa.misc.operation_id": "psaquae", - "rsa.misc.policy_name": "ationemu", - "rsa.misc.reference_id": "105", - "rsa.misc.reference_id1": "conseq", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.3219", - "rsa.network.domain": "estiae3750.api.corp", - "rsa.network.host_dst": "tionof7613.domain", - "server.domain": "estiae3750.api.corp", - "server.registered_domain": "api.corp", - "server.subdomain": "estiae3750", - "server.top_level_domain": "corp", - "service.type": "cyberark", - "source.ip": [ - "10.95.64.124" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "run" - }, - { - "destination.address": "acc7692.home", - "destination.port": 4147, - "event.action": "block", - "event.code": "376", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "adol 2016-09-28 05:53:42.152538723 +0000 UTC doloremi7402.www.test %CYBERARK: MessageID=\"376\";Version=1.6371;Message=block;Issuer=itquiin;Station=10.106.239.55;File=taevit;Safe=rinrepre;Location=etconse;Category=tincu;RequestId=ari;Reason=exercit;Severity=low;GatewayStation=10.244.114.61;TicketID=oluptate;PolicyID=onseq;UserName=serunt;LogonDomain=aquaeabi7735.internal.lan;Address=acc7692.home;CPMStatus=amest;Port=\"4147\";Database=itame;DeviceType=intoc;ExtraDetails=oluptas;", - "file.directory": "etconse", - "file.name": "taevit", - "fileset.name": "corepas", - "host.ip": "10.106.239.55", - "input.type": "log", - "log.level": "low", - "log.offset": 8130, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.6371", - "related.hosts": [ - "acc7692.home", - "aquaeabi7735.internal.lan" - ], - "related.ip": [ - "10.106.239.55", - "10.244.114.61" - ], - "related.user": [ - "itquiin", - "serunt" - ], - "rsa.db.database": "itame", - "rsa.db.index": "oluptas", - "rsa.internal.event_desc": "exercit", - "rsa.internal.messageid": "376", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.category": "tincu", - "rsa.misc.disposition": "amest", - "rsa.misc.group_object": "rinrepre", - "rsa.misc.obj_type": "intoc", - "rsa.misc.operation_id": "oluptate", - "rsa.misc.policy_name": "onseq", - "rsa.misc.reference_id": "376", - "rsa.misc.reference_id1": "ari", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.6371", - "rsa.network.domain": "aquaeabi7735.internal.lan", - "rsa.network.host_dst": "acc7692.home", - "server.domain": "aquaeabi7735.internal.lan", - "server.registered_domain": "internal.lan", - "server.subdomain": "aquaeabi7735", - "server.top_level_domain": "lan", - "service.type": "cyberark", - "source.ip": [ - "10.244.114.61" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "itquiin" - }, - { - "destination.address": "quatD4191.local", - "destination.port": 5685, - "event.action": "allow", - "event.code": "24", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "2016-10-12 12:56:16.412538723 +0000 UTC luptasn2126.mail.home %CYBERARK: MessageID=\"24\";Version=1.821;Message=allow;Issuer=ione;Station=10.125.160.129;File=suntexp;Safe=duntut;Location=magni;Category=pisciv;RequestId=iquidex;Reason=radipisc;Severity=low;SourceUser=nti;TargetUser=abi;GatewayStation=10.53.168.235;TicketID=fugitse;PolicyID=veniamq;UserName=one;LogonDomain=etMalor4236.www5.host;Address=quatD4191.local;CPMStatus=tenima;Port=5685;Database=sperna;DeviceType=eabilloi;ExtraDetails=estia;", - "file.directory": "magni", - "file.name": "suntexp", - "fileset.name": "corepas", - "group.name": "nti", - "host.ip": "10.125.160.129", - "input.type": "log", - "log.level": "low", - "log.offset": 8609, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.821", - "related.hosts": [ - "etMalor4236.www5.host", - "quatD4191.local" - ], - "related.ip": [ - "10.125.160.129", - "10.53.168.235" - ], - "related.user": [ - "abi", - "ione", - "one" - ], - "rsa.db.database": "sperna", - "rsa.db.index": "estia", - "rsa.internal.event_desc": "radipisc", - "rsa.internal.messageid": "24", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.category": "pisciv", - "rsa.misc.disposition": "tenima", - "rsa.misc.group": "nti", - "rsa.misc.group_object": "duntut", - "rsa.misc.obj_type": "eabilloi", - "rsa.misc.operation_id": "fugitse", - "rsa.misc.policy_name": "veniamq", - "rsa.misc.reference_id": "24", - "rsa.misc.reference_id1": "iquidex", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.821", - "rsa.network.domain": "etMalor4236.www5.host", - "rsa.network.host_dst": "quatD4191.local", - "server.domain": "etMalor4236.www5.host", - "server.registered_domain": "www5.host", - "server.subdomain": "etMalor4236", - "server.top_level_domain": "host", - "service.type": "cyberark", - "source.ip": [ - "10.53.168.235" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "ione" - }, - { - "destination.address": "eturadi6608.mail.host", - "destination.port": 3366, - "event.action": "allow", - "event.code": "197", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "orem 2016-10-26 19:58:50.672538723 +0000 UTC beata6448.mail.test %CYBERARK: MessageID=\"197\";Version=1.1123;Message=allow;Issuer=tasuntex;Station=10.227.177.121;File=boN;Safe=eprehend;Location=aevit;Category=aboN;RequestId=ihilmo;Reason=radi;Severity=low;SourceUser=uames;TargetUser=iduntu;GatewayStation=10.33.245.220;TicketID=giatnu;PolicyID=ulapa;UserName=liqui;LogonDomain=quioffi1359.internal.lan;Address=eturadi6608.mail.host;CPMStatus=aera;Port=3366;Database=rvel;DeviceType=uid;ExtraDetails=onsecte;", - "file.directory": "aevit", - "file.name": "boN", - "fileset.name": "corepas", - "group.name": "uames", - "host.ip": "10.227.177.121", - "input.type": "log", - "log.level": "low", - "log.offset": 9110, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.1123", - "related.hosts": [ - "eturadi6608.mail.host", - "quioffi1359.internal.lan" - ], - "related.ip": [ - "10.227.177.121", - "10.33.245.220" - ], - "related.user": [ - "iduntu", - "liqui", - "tasuntex" - ], - "rsa.db.database": "rvel", - "rsa.db.index": "onsecte", - "rsa.internal.event_desc": "radi", - "rsa.internal.messageid": "197", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.category": "aboN", - "rsa.misc.disposition": "aera", - "rsa.misc.group": "uames", - "rsa.misc.group_object": "eprehend", - "rsa.misc.obj_type": "uid", - "rsa.misc.operation_id": "giatnu", - "rsa.misc.policy_name": "ulapa", - "rsa.misc.reference_id": "197", - "rsa.misc.reference_id1": "ihilmo", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.1123", - "rsa.network.domain": "quioffi1359.internal.lan", - "rsa.network.host_dst": "eturadi6608.mail.host", - "server.domain": "quioffi1359.internal.lan", - "server.registered_domain": "internal.lan", - "server.subdomain": "quioffi1359", - "server.top_level_domain": "lan", - "service.type": "cyberark", - "source.ip": [ - "10.33.245.220" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "tasuntex" - }, - { - "destination.address": "eroi176.example", - "destination.port": 3341, - "event.action": "allow", - "event.code": "411", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "November 10 03:01:24 edo %CYBERARK: MessageID=\"411\";Version=1.5071;Message=allow;Issuer=econs;Station=\"10.98.182.220\";File=\"untex\";Safe=\"quiratio\";Location=\"boree\";Category=\"eco\";RequestId=Utenimad;Reason=orpor;Severity=\"low\";GatewayStation=\"10.167.85.181\";TicketID=emvel;PolicyID=\"tmollita\";UserName=fde;LogonDomain=\"nsecte3304.mail.corp\";Address=\"eroi176.example\";CPMStatus=\"non\";Port=\"3341\";Database=equat;DeviceType=derit;ExtraDetails=\"Command=dexea;ConnectionComponentId=atcu;DstHost=labor;ProcessId=6501;ProcessName=laboree.exe;Protocol=tcp;PSMID=intocc;RDPOffset=liqu;SessionID=eporr;SrcHost=xeacomm6855.api.corp;User=utlabor;VIDOffset=rau;\"", - "file.directory": "boree", - "file.name": "untex", - "fileset.name": "corepas", - "host.hostname": "xeacomm6855.api.corp", - "host.ip": "10.98.182.220", - "input.type": "log", - "log.level": "low", - "log.offset": 9617, - "network.protocol": "tcp", - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.5071", - "process.name": "laboree.exe", - "process.pid": 6501, - "related.hosts": [ - "eroi176.example", - "nsecte3304.mail.corp", - "xeacomm6855.api.corp" - ], - "related.ip": [ - "10.167.85.181", - "10.98.182.220" - ], - "related.user": [ - "econs", - "fde" - ], - "rsa.db.database": "equat", - "rsa.internal.event_desc": "orpor", - "rsa.internal.messageid": "411", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.category": "eco", - "rsa.misc.disposition": "non", - "rsa.misc.group_object": "quiratio", - "rsa.misc.log_session_id": "eporr", - "rsa.misc.obj_type": "derit", - "rsa.misc.operation_id": "emvel", - "rsa.misc.param": "dexea", - "rsa.misc.policy_name": "tmollita", - "rsa.misc.reference_id": "411", - "rsa.misc.reference_id1": "Utenimad", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.5071", - "rsa.network.domain": "nsecte3304.mail.corp", - "rsa.network.host_dst": "eroi176.example", - "server.domain": "nsecte3304.mail.corp", - "server.registered_domain": "mail.corp", - "server.subdomain": "nsecte3304", - "server.top_level_domain": "corp", - "service.type": "cyberark", - "source.address": "xeacomm6855.api.corp", - "source.ip": [ - "10.167.85.181" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "econs" - }, - { - "event.action": "block", - "event.code": "tessec", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "November 24 10:03:59 aeabi %CYBERARK: MessageID=\"111\";eiu 1.4456\",ProductAccount=\"iciadese\",ProductProcess=\"quidolor\",EventId=\"tessec\",EventClass=\"olupta\",EventSeverity=\"high\",EventMessage=\"block\",ActingUserName=\"icabo\",ActingAddress=\"10.89.208.95\",ActionSourceUser=\"eleum\",ActionTargetUser=\"sintoc\",ActionObject=\"volupt\",ActionSafe=\"siste\",ActionLocation=\"uiinea\",ActionCategory=\"Utenima\",ActionRequestId=\"volupta\",ActionReason=\"rcitati\",ActionExtraDetails=\"eni\"", - "file.directory": "uiinea", - "file.name": "volupt", - "fileset.name": "corepas", - "host.ip": "10.89.208.95", - "input.type": "log", - "log.level": "high", - "log.offset": 10266, - "observer.product": "eiu", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.4456", - "related.ip": [ - "10.89.208.95" - ], - "related.user": [ - "icabo", - "iciadese", - "sintoc" - ], - "rsa.db.index": "eni", - "rsa.internal.event_desc": "rcitati", - "rsa.internal.messageid": "111", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.category": "Utenima", - "rsa.misc.group_object": "siste", - "rsa.misc.reference_id": "tessec", - "rsa.misc.reference_id1": "volupta", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.4456", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "icabo" - }, - { - "destination.address": "reetdolo6852.www.test", - "destination.port": 5428, - "event.action": "accept", - "event.code": "81", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "Ute 2016-12-08 17:06:33.452538723 +0000 UTC sperna5368.mail.invalid %CYBERARK: MessageID=\"81\";Version=1.509;Message=accept;Issuer=tDuisaut;Station=10.214.191.180;File=imvenia;Safe=spi;Location=stquido;Category=ommodico;RequestId=ptas;Reason=pta;Severity=medium;SourceUser=ptatemq;TargetUser=luptatev;GatewayStation=10.72.148.32;TicketID=ipsumd;PolicyID=ntocc;UserName=uteirure;LogonDomain=nevo4284.internal.local;Address=reetdolo6852.www.test;CPMStatus=nnum;Port=5428;Database=uamest;DeviceType=tco;ExtraDetails=uae;", - "file.directory": "stquido", - "file.name": "imvenia", - "fileset.name": "corepas", - "group.name": "ptatemq", - "host.ip": "10.214.191.180", - "input.type": "log", - "log.level": "medium", - "log.offset": 10730, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.509", - "related.hosts": [ - "nevo4284.internal.local", - "reetdolo6852.www.test" - ], - "related.ip": [ - "10.214.191.180", - "10.72.148.32" - ], - "related.user": [ - "luptatev", - "tDuisaut", - "uteirure" - ], - "rsa.db.database": "uamest", - "rsa.db.index": "uae", - "rsa.internal.event_desc": "pta", - "rsa.internal.messageid": "81", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.category": "ommodico", - "rsa.misc.disposition": "nnum", - "rsa.misc.group": "ptatemq", - "rsa.misc.group_object": "spi", - "rsa.misc.obj_type": "tco", - "rsa.misc.operation_id": "ipsumd", - "rsa.misc.policy_name": "ntocc", - "rsa.misc.reference_id": "81", - "rsa.misc.reference_id1": "ptas", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.509", - "rsa.network.domain": "nevo4284.internal.local", - "rsa.network.host_dst": "reetdolo6852.www.test", - "server.domain": "nevo4284.internal.local", - "server.registered_domain": "internal.local", - "server.subdomain": "nevo4284", - "server.top_level_domain": "local", - "service.type": "cyberark", - "source.ip": [ - "10.72.148.32" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "tDuisaut" - }, - { - "destination.address": "mporin6932.api.localdomain", - "destination.port": 6604, - "event.action": "block", - "event.code": "168", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "%CYBERARK: MessageID=\"168\";Version=1.3599;Message=block;Issuer=ipsumd;Station=10.136.190.236;File=evolu;Safe=ersp;Location=tquov;Category=diconseq;RequestId=inven;Reason=osquira;Severity=low;SourceUser=ataevi;TargetUser=com;GatewayStation=10.252.124.150;TicketID=trud;PolicyID=eriti;UserName=litessec;LogonDomain=itas981.mail.domain;Address=mporin6932.api.localdomain;CPMStatus=roid;Port=6604;Database=tasn;DeviceType=Nemoenim;ExtraDetails=squirati;", - "file.directory": "tquov", - "file.name": "evolu", - "fileset.name": "corepas", - "group.name": "ataevi", - "host.ip": "10.136.190.236", - "input.type": "log", - "log.level": "low", - "log.offset": 11247, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.3599", - "related.hosts": [ - "itas981.mail.domain", - "mporin6932.api.localdomain" - ], - "related.ip": [ - "10.136.190.236", - "10.252.124.150" - ], - "related.user": [ - "com", - "ipsumd", - "litessec" - ], - "rsa.db.database": "tasn", - "rsa.db.index": "squirati", - "rsa.internal.event_desc": "osquira", - "rsa.internal.messageid": "168", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.category": "diconseq", - "rsa.misc.disposition": "roid", - "rsa.misc.group": "ataevi", - "rsa.misc.group_object": "ersp", - "rsa.misc.obj_type": "Nemoenim", - "rsa.misc.operation_id": "trud", - "rsa.misc.policy_name": "eriti", - "rsa.misc.reference_id": "168", - "rsa.misc.reference_id1": "inven", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.3599", - "rsa.network.domain": "itas981.mail.domain", - "rsa.network.host_dst": "mporin6932.api.localdomain", - "server.domain": "itas981.mail.domain", - "server.registered_domain": "mail.domain", - "server.subdomain": "itas981", - "server.top_level_domain": "domain", - "service.type": "cyberark", - "source.ip": [ - "10.252.124.150" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "ipsumd" - }, - { - "destination.address": "illoin2914.mail.lan", - "destination.port": 6895, - "event.action": "accept", - "event.code": "90", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "nbyCic 2017-01-06 07:11:41.972538723 +0000 UTC utlabor6305.internal.corp %CYBERARK: MessageID=\"90\";Version=1.5649;Message=accept;Issuer=iquipe;Station=10.192.34.76;File=modtemp;Safe=quovol;Location=nve;Category=remag;RequestId=uredol;Reason=ccaecat;Severity=medium;SourceUser=onsequ;TargetUser=temqu;GatewayStation=10.213.144.249;TicketID=udexerci;PolicyID=naal;UserName=lore;LogonDomain=tnonpro7635.localdomain;Address=illoin2914.mail.lan;CPMStatus=uamni;Port=6895;Database=gnamal;DeviceType=metMalo;ExtraDetails=ntexplic;", - "file.directory": "nve", - "file.name": "modtemp", - "fileset.name": "corepas", - "group.name": "onsequ", - "host.ip": "10.192.34.76", - "input.type": "log", - "log.level": "medium", - "log.offset": 11697, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.5649", - "related.hosts": [ - "illoin2914.mail.lan", - "tnonpro7635.localdomain" - ], - "related.ip": [ - "10.192.34.76", - "10.213.144.249" - ], - "related.user": [ - "iquipe", - "lore", - "temqu" - ], - "rsa.db.database": "gnamal", - "rsa.db.index": "ntexplic", - "rsa.internal.event_desc": "ccaecat", - "rsa.internal.messageid": "90", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.category": "remag", - "rsa.misc.disposition": "uamni", - "rsa.misc.group": "onsequ", - "rsa.misc.group_object": "quovol", - "rsa.misc.obj_type": "metMalo", - "rsa.misc.operation_id": "udexerci", - "rsa.misc.policy_name": "naal", - "rsa.misc.reference_id": "90", - "rsa.misc.reference_id1": "uredol", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.5649", - "rsa.network.domain": "tnonpro7635.localdomain", - "rsa.network.host_dst": "illoin2914.mail.lan", - "server.domain": "tnonpro7635.localdomain", - "server.registered_domain": "tnonpro7635.localdomain", - "server.top_level_domain": "localdomain", - "service.type": "cyberark", - "source.ip": [ - "10.213.144.249" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "iquipe" - }, - { - "destination.address": "evit5780.www.corp", - "destination.port": 725, - "event.action": "accept", - "event.code": "376", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "%CYBERARK: MessageID=\"376\";Version=1.2217;Message=accept;Issuer=untu;Station=10.154.4.197;File=con;Safe=nisist;Location=usmodte;Category=msequi;RequestId=tau;Reason=exercita;Severity=low;GatewayStation=10.216.84.30;TicketID=orumSe;PolicyID=boree;UserName=intoc;LogonDomain=rQuisau5300.www5.example;Address=evit5780.www.corp;CPMStatus=onev;Port=\"725\";Database=oditem;DeviceType=gitsedqu;ExtraDetails=borios;", - "file.directory": "usmodte", - "file.name": "con", - "fileset.name": "corepas", - "host.ip": "10.154.4.197", - "input.type": "log", - "log.level": "low", - "log.offset": 12221, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.2217", - "related.hosts": [ - "evit5780.www.corp", - "rQuisau5300.www5.example" - ], - "related.ip": [ - "10.154.4.197", - "10.216.84.30" - ], - "related.user": [ - "intoc", - "untu" - ], - "rsa.db.database": "oditem", - "rsa.db.index": "borios", - "rsa.internal.event_desc": "exercita", - "rsa.internal.messageid": "376", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.category": "msequi", - "rsa.misc.disposition": "onev", - "rsa.misc.group_object": "nisist", - "rsa.misc.obj_type": "gitsedqu", - "rsa.misc.operation_id": "orumSe", - "rsa.misc.policy_name": "boree", - "rsa.misc.reference_id": "376", - "rsa.misc.reference_id1": "tau", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.2217", - "rsa.network.domain": "rQuisau5300.www5.example", - "rsa.network.host_dst": "evit5780.www.corp", - "server.domain": "rQuisau5300.www5.example", - "server.registered_domain": "www5.example", - "server.subdomain": "rQuisau5300", - "server.top_level_domain": "example", - "service.type": "cyberark", - "source.ip": [ - "10.216.84.30" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "untu" - }, - { - "event.action": "deny", - "event.code": "ess", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "2017-02-03 21:16:50.492538723 +0000 UTC temUt631.www5.example %CYBERARK: MessageID=\"3\";npr 1.4414\",ProductAccount=\"niamqui\",ProductProcess=\"boNem\",EventId=\"ess\",EventClass=\"ipisci\",EventSeverity=\"medium\",EventMessage=\"deny\",ActingUserName=\"tqu\",ActingAddress=\"10.143.193.199\",ActionSourceUser=\"quam\",ActionTargetUser=\"quid\",ActionObject=\"fugiat\",ActionSafe=\"atisun\",ActionLocation=\"esci\",ActionCategory=\"epre\",ActionRequestId=\"tobeata\",ActionReason=\"eroinBCS\",ActionExtraDetails=\"inci\"", - "file.directory": "esci", - "file.name": "fugiat", - "fileset.name": "corepas", - "host.ip": "10.143.193.199", - "input.type": "log", - "log.level": "medium", - "log.offset": 12628, - "observer.product": "npr", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.4414", - "related.ip": [ - "10.143.193.199" - ], - "related.user": [ - "niamqui", - "quid", - "tqu" - ], - "rsa.db.index": "inci", - "rsa.internal.event_desc": "eroinBCS", - "rsa.internal.messageid": "3", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.category": "epre", - "rsa.misc.group_object": "atisun", - "rsa.misc.reference_id": "ess", - "rsa.misc.reference_id1": "tobeata", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.4414", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "tqu" - }, - { - "destination.address": "uisa5736.internal.local", - "destination.port": 302, - "event.action": "deny", - "event.code": "140", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "February 18 04:19:24 rnatur %CYBERARK: MessageID=\"140\";Version=1.5632;Message=deny;Issuer=essequam;Station=10.193.83.81;File=isisten;Safe=cusant;Location=atemq;Category=rinre;RequestId=naal;Reason=borios;Severity=high;SourceUser=isnostr;TargetUser=umqu;GatewayStation=10.65.175.9;TicketID=inesci;PolicyID=isnisi;UserName=ritatise;LogonDomain=uamei2389.internal.example;Address=uisa5736.internal.local;CPMStatus=cusant;Port=302;Database=ender;DeviceType=riamea;ExtraDetails=entorev;", - "file.directory": "atemq", - "file.name": "isisten", - "fileset.name": "corepas", - "group.name": "isnostr", - "host.ip": "10.193.83.81", - "input.type": "log", - "log.level": "high", - "log.offset": 13114, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.5632", - "related.hosts": [ - "uamei2389.internal.example", - "uisa5736.internal.local" - ], - "related.ip": [ - "10.193.83.81", - "10.65.175.9" - ], - "related.user": [ - "essequam", - "ritatise", - "umqu" - ], - "rsa.db.database": "ender", - "rsa.db.index": "entorev", - "rsa.internal.event_desc": "borios", - "rsa.internal.messageid": "140", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.category": "rinre", - "rsa.misc.disposition": "cusant", - "rsa.misc.group": "isnostr", - "rsa.misc.group_object": "cusant", - "rsa.misc.obj_type": "riamea", - "rsa.misc.operation_id": "inesci", - "rsa.misc.policy_name": "isnisi", - "rsa.misc.reference_id": "140", - "rsa.misc.reference_id1": "naal", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.5632", - "rsa.network.domain": "uamei2389.internal.example", - "rsa.network.host_dst": "uisa5736.internal.local", - "server.domain": "uamei2389.internal.example", - "server.registered_domain": "internal.example", - "server.subdomain": "uamei2389", - "server.top_level_domain": "example", - "service.type": "cyberark", - "source.ip": [ - "10.65.175.9" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "essequam" - }, - { - "event.action": "accept", - "event.code": "sau", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "%CYBERARK: MessageID=\"87\";tutlab 1.792\",ProductAccount=\"tatn\",ProductProcess=\"dolorsit\",EventId=\"sau\",EventClass=\"aperia\",EventSeverity=\"very-high\",EventMessage=\"accept\",ActingUserName=\"umdolo\",ActingAddress=\"10.205.72.243\",ActionSourceUser=\"stenatu\",ActionTargetUser=\"isiuta\",ActionObject=\"orsitam\",ActionSafe=\"siutaliq\",ActionLocation=\"dutp\",ActionCategory=\"psaquaea\",ActionRequestId=\"taevita\",ActionReason=\"ameiusm\",ActionExtraDetails=\"proide\"", - "file.directory": "dutp", - "file.name": "orsitam", - "fileset.name": "corepas", - "host.ip": "10.205.72.243", - "input.type": "log", - "log.level": "very-high", - "log.offset": 13596, - "observer.product": "tutlab", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.792", - "related.ip": [ - "10.205.72.243" - ], - "related.user": [ - "isiuta", - "tatn", - "umdolo" - ], - "rsa.db.index": "proide", - "rsa.internal.event_desc": "ameiusm", - "rsa.internal.messageid": "87", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.category": "psaquaea", - "rsa.misc.group_object": "siutaliq", - "rsa.misc.reference_id": "sau", - "rsa.misc.reference_id1": "taevita", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.792", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "umdolo" - }, - { - "event.action": "allow", - "event.code": "eumiure", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "2017-03-18 18:24:33.272538723 +0000 UTC velitess7586.mail.example %CYBERARK: MessageID=\"45\";nre 1.7231\",ProductAccount=\"sit\",ProductProcess=\"olab\",EventId=\"eumiure\",EventClass=\"ersp\",EventSeverity=\"medium\",EventMessage=\"allow\",ActingUserName=\"mquisno\",ActingAddress=\"10.107.9.163\",ActionSourceUser=\"uptate\",ActionTargetUser=\"mac\",ActionObject=\"iumdol\",ActionSafe=\"tpersp\",ActionLocation=\"stla\",ActionCategory=\"uptatema\",ActionRequestId=\"oeni\",ActionReason=\"tdol\",ActionExtraDetails=\"sit\"", - "file.directory": "stla", - "file.name": "iumdol", - "fileset.name": "corepas", - "host.ip": "10.107.9.163", - "input.type": "log", - "log.level": "medium", - "log.offset": 14043, - "observer.product": "nre", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.7231", - "related.ip": [ - "10.107.9.163" - ], - "related.user": [ - "mac", - "mquisno", - "sit" - ], - "rsa.db.index": "sit", - "rsa.internal.event_desc": "tdol", - "rsa.internal.messageid": "45", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.category": "uptatema", - "rsa.misc.group_object": "tpersp", - "rsa.misc.reference_id": "eumiure", - "rsa.misc.reference_id1": "oeni", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.7231", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "mquisno" - }, - { - "event.action": "deny", - "event.code": "cinge", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "April 2 01:27:07 psum %CYBERARK: MessageID=\"132\";tasnulap 1.7220\",ProductAccount=\"umSe\",ProductProcess=\"xeacomm\",EventId=\"cinge\",EventClass=\"itla\",EventSeverity=\"high\",EventMessage=\"deny\",ActingUserName=\"asiarc\",ActingAddress=\"10.80.101.72\",ActionSourceUser=\"uptate\",ActionTargetUser=\"quidexea\",ActionObject=\"ect\",ActionSafe=\"modocons\",ActionLocation=\"gitsed\",ActionCategory=\"fugia\",ActionRequestId=\"oditautf\",ActionReason=\"quatu\",ActionExtraDetails=\"veli\"", - "file.directory": "gitsed", - "file.name": "ect", - "fileset.name": "corepas", - "host.ip": "10.80.101.72", - "input.type": "log", - "log.level": "high", - "log.offset": 14531, - "observer.product": "tasnulap", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.7220", - "related.ip": [ - "10.80.101.72" - ], - "related.user": [ - "asiarc", - "quidexea", - "umSe" - ], - "rsa.db.index": "veli", - "rsa.internal.event_desc": "quatu", - "rsa.internal.messageid": "132", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.category": "fugia", - "rsa.misc.group_object": "modocons", - "rsa.misc.reference_id": "cinge", - "rsa.misc.reference_id1": "oditautf", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.7220", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "asiarc" - }, - { - "destination.address": "utlab3706.api.host", - "destination.port": 246, - "event.action": "accept", - "event.code": "200", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "April 16 08:29:41 labo %CYBERARK: MessageID=\"200\";Version=1.267;Message=accept;Issuer=aboreetd;Station=10.235.136.109;File=lorin;Safe=pitl;Location=por;Category=quidexea;RequestId=nimid;Reason=runtmol;Severity=very-high;SourceUser=odi;TargetUser=ptass;GatewayStation=10.39.10.155;TicketID=dol;PolicyID=proiden;UserName=urExcept;LogonDomain=miurerep1152.internal.domain;Address=utlab3706.api.host;CPMStatus=dantium;Port=246;Database=teirured;DeviceType=onemulla;ExtraDetails=dolorem;", - "file.directory": "por", - "file.name": "lorin", - "fileset.name": "corepas", - "group.name": "odi", - "host.ip": "10.235.136.109", - "input.type": "log", - "log.level": "very-high", - "log.offset": 14988, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.267", - "related.hosts": [ - "miurerep1152.internal.domain", - "utlab3706.api.host" - ], - "related.ip": [ - "10.235.136.109", - "10.39.10.155" - ], - "related.user": [ - "aboreetd", - "ptass", - "urExcept" - ], - "rsa.db.database": "teirured", - "rsa.db.index": "dolorem", - "rsa.internal.event_desc": "runtmol", - "rsa.internal.messageid": "200", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.category": "quidexea", - "rsa.misc.disposition": "dantium", - "rsa.misc.group": "odi", - "rsa.misc.group_object": "pitl", - "rsa.misc.obj_type": "onemulla", - "rsa.misc.operation_id": "dol", - "rsa.misc.policy_name": "proiden", - "rsa.misc.reference_id": "200", - "rsa.misc.reference_id1": "nimid", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.267", - "rsa.network.domain": "miurerep1152.internal.domain", - "rsa.network.host_dst": "utlab3706.api.host", - "server.domain": "miurerep1152.internal.domain", - "server.registered_domain": "internal.domain", - "server.subdomain": "miurerep1152", - "server.top_level_domain": "domain", - "service.type": "cyberark", - "source.ip": [ - "10.39.10.155" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "aboreetd" - }, - { - "event.action": "cancel", - "event.code": "nci", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "April 30 15:32:16 ationev %CYBERARK: MessageID=\"233\";umdolor 1.4389\",ProductAccount=\"itation\",ProductProcess=\"paquioff\",EventId=\"nci\",EventClass=\"isau\",EventSeverity=\"low\",EventMessage=\"cancel\",ActingUserName=\"ibusBon\",ActingAddress=\"10.96.224.19\",ActionSourceUser=\"nsequat\",ActionTargetUser=\"doloreme\",ActionObject=\"dun\",ActionSafe=\"reprehe\",ActionLocation=\"tincu\",ActionCategory=\"suntin\",ActionRequestId=\"itse\",ActionReason=\"umexerc\",ActionExtraDetails=\"oremipsu\"", - "file.directory": "tincu", - "file.name": "dun", - "fileset.name": "corepas", - "host.ip": "10.96.224.19", - "input.type": "log", - "log.level": "low", - "log.offset": 15471, - "observer.product": "umdolor", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.4389", - "related.ip": [ - "10.96.224.19" - ], - "related.user": [ - "doloreme", - "ibusBon", - "itation" - ], - "rsa.db.index": "oremipsu", - "rsa.internal.event_desc": "umexerc", - "rsa.internal.messageid": "233", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "suntin", - "rsa.misc.group_object": "reprehe", - "rsa.misc.reference_id": "nci", - "rsa.misc.reference_id1": "itse", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.4389", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "ibusBon" - }, - { - "event.action": "cancel", - "event.code": "iquidexe", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "2017-05-14 22:34:50.312538723 +0000 UTC ntsunt4826.mail.corp %CYBERARK: MessageID=\"170\";olo 1.237\",ProductAccount=\"aec\",ProductProcess=\"fdeF\",EventId=\"iquidexe\",EventClass=\"diconse\",EventSeverity=\"medium\",EventMessage=\"cancel\",ActingUserName=\"reseo\",ActingAddress=\"10.71.238.250\",ActionSourceUser=\"consequa\",ActionTargetUser=\"moenimi\",ActionObject=\"olupt\",ActionSafe=\"oconsequ\",ActionLocation=\"edquiac\",ActionCategory=\"urerepr\",ActionRequestId=\"eseru\",ActionReason=\"quamest\",ActionExtraDetails=\"mac\"", - "file.directory": "edquiac", - "file.name": "olupt", - "fileset.name": "corepas", - "host.ip": "10.71.238.250", - "input.type": "log", - "log.level": "medium", - "log.offset": 15937, - "observer.product": "olo", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.237", - "related.ip": [ - "10.71.238.250" - ], - "related.user": [ - "aec", - "moenimi", - "reseo" - ], - "rsa.db.index": "mac", - "rsa.internal.event_desc": "quamest", - "rsa.internal.messageid": "170", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "urerepr", - "rsa.misc.group_object": "oconsequ", - "rsa.misc.reference_id": "iquidexe", - "rsa.misc.reference_id1": "eseru", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.237", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "reseo" - }, - { - "destination.address": "mvel1188.internal.localdomain", - "destination.port": 2694, - "event.action": "deny", - "event.code": "294", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "%CYBERARK: MessageID=\"294\";Version=1.3804;Message=deny;Issuer=rationev;Station=10.226.20.199;File=tatem;Safe=untutlab;Location=amcor;Category=ica;RequestId=lillum;Reason=remips;Severity=low;SourceUser=taedicta;TargetUser=ritt;GatewayStation=10.226.101.180;TicketID=itesseq;PolicyID=dictasun;UserName=veniamqu;LogonDomain=rum5798.home;Address=mvel1188.internal.localdomain;CPMStatus=tetur;Port=2694;Database=conse;DeviceType=ipi;ExtraDetails=imveniam;", - "file.directory": "amcor", - "file.name": "tatem", - "fileset.name": "corepas", - "group.name": "taedicta", - "host.ip": "10.226.20.199", - "input.type": "log", - "log.level": "low", - "log.offset": 16437, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.3804", - "related.hosts": [ - "mvel1188.internal.localdomain", - "rum5798.home" - ], - "related.ip": [ - "10.226.101.180", - "10.226.20.199" - ], - "related.user": [ - "rationev", - "ritt", - "veniamqu" - ], - "rsa.db.database": "conse", - "rsa.db.index": "imveniam", - "rsa.internal.event_desc": "remips", - "rsa.internal.messageid": "294", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.category": "ica", - "rsa.misc.disposition": "tetur", - "rsa.misc.group": "taedicta", - "rsa.misc.group_object": "untutlab", - "rsa.misc.obj_type": "ipi", - "rsa.misc.operation_id": "itesseq", - "rsa.misc.policy_name": "dictasun", - "rsa.misc.reference_id": "294", - "rsa.misc.reference_id1": "lillum", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.3804", - "rsa.network.domain": "rum5798.home", - "rsa.network.host_dst": "mvel1188.internal.localdomain", - "server.domain": "rum5798.home", - "server.registered_domain": "rum5798.home", - "server.top_level_domain": "home", - "service.type": "cyberark", - "source.ip": [ - "10.226.101.180" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "rationev" - }, - { - "destination.address": "perspici5680.domain", - "destination.port": 2039, - "event.action": "cancel", - "event.code": "13", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "June 12 12:39:58 licabo %CYBERARK: MessageID=\"13\";Version=1.1493;Message=cancel;Issuer=utaliqu;Station=10.86.22.67;File=nvolupt;Safe=oremi;Location=elites;Category=nbyCi;RequestId=tevel;Reason=usc;Severity=high;SourceUser=equinesc;TargetUser=cab;GatewayStation=10.134.65.15;TicketID=equepor;PolicyID=ncidid;UserName=quaUten;LogonDomain=nisiut3624.api.example;Address=perspici5680.domain;CPMStatus=iconseq;Port=2039;Database=isciv;DeviceType=rroqu;ExtraDetails=nofd;", - "event.outcome": "failure", - "file.directory": "elites", - "file.name": "nvolupt", - "fileset.name": "corepas", - "group.name": "equinesc", - "host.ip": "10.86.22.67", - "input.type": "log", - "log.level": "high", - "log.offset": 16888, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.1493", - "related.hosts": [ - "nisiut3624.api.example", - "perspici5680.domain" - ], - "related.ip": [ - "10.134.65.15", - "10.86.22.67" - ], - "related.user": [ - "cab", - "quaUten", - "utaliqu" - ], - "rsa.db.database": "isciv", - "rsa.db.index": "nofd", - "rsa.internal.event_desc": "usc", - "rsa.internal.messageid": "13", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "nbyCi", - "rsa.misc.disposition": "iconseq", - "rsa.misc.group": "equinesc", - "rsa.misc.group_object": "oremi", - "rsa.misc.obj_type": "rroqu", - "rsa.misc.operation_id": "equepor", - "rsa.misc.policy_name": "ncidid", - "rsa.misc.reference_id": "13", - "rsa.misc.reference_id1": "tevel", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.1493", - "rsa.network.domain": "nisiut3624.api.example", - "rsa.network.host_dst": "perspici5680.domain", - "server.domain": "nisiut3624.api.example", - "server.registered_domain": "api.example", - "server.subdomain": "nisiut3624", - "server.top_level_domain": "example", - "service.type": "cyberark", - "source.ip": [ - "10.134.65.15" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "utaliqu" - }, - { - "event.action": "accept", - "event.code": "tae", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "%CYBERARK: MessageID=\"358\";ilmol 1.5112\",ProductAccount=\"tten\",ProductProcess=\"ueipsa\",EventId=\"tae\",EventClass=\"autodit\",EventSeverity=\"very-high\",EventMessage=\"accept\",ActingUserName=\"cidunt\",ActingAddress=\"10.70.147.120\",ActionSourceUser=\"exeaco\",ActionTargetUser=\"emqu\",ActionObject=\"nderi\",ActionSafe=\"acommod\",ActionLocation=\"itsedd\",ActionCategory=\"leumiur\",ActionRequestId=\"eratvol\",ActionReason=\"quidol\",ActionExtraDetails=\"eaqu\"", - "file.directory": "itsedd", - "file.name": "nderi", - "fileset.name": "corepas", - "host.ip": "10.70.147.120", - "input.type": "log", - "log.level": "very-high", - "log.offset": 17354, - "observer.product": "ilmol", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.5112", - "related.ip": [ - "10.70.147.120" - ], - "related.user": [ - "cidunt", - "emqu", - "tten" - ], - "rsa.db.index": "eaqu", - "rsa.internal.event_desc": "quidol", - "rsa.internal.messageid": "358", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.category": "leumiur", - "rsa.misc.group_object": "acommod", - "rsa.misc.reference_id": "tae", - "rsa.misc.reference_id1": "eratvol", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.5112", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "cidunt" - }, - { - "destination.address": "ptateve6909.www5.lan", - "destination.port": 7645, - "event.action": "cancel", - "event.code": "160", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "luptatem 2017-07-11 02:45:07.352538723 +0000 UTC uaeratv3432.invalid %CYBERARK: MessageID=\"160\";Version=1.6255;Message=cancel;Issuer=dqu;Station=10.178.242.100;File=dutpers;Safe=erun;Location=orisn;Category=reetd;RequestId=prehen;Reason=ntutlabo;Severity=medium;SourceUser=rad;TargetUser=loi;GatewayStation=10.24.111.229;TicketID=volupt;PolicyID=rem;UserName=idid;LogonDomain=tesse1089.www.host;Address=ptateve6909.www5.lan;CPMStatus=toccaec;Port=7645;Database=tenatuse;DeviceType=psaqua;ExtraDetails=ullamcor;", - "file.directory": "orisn", - "file.name": "dutpers", - "fileset.name": "corepas", - "group.name": "rad", - "host.ip": "10.178.242.100", - "input.type": "log", - "log.level": "medium", - "log.offset": 17793, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.6255", - "related.hosts": [ - "ptateve6909.www5.lan", - "tesse1089.www.host" - ], - "related.ip": [ - "10.178.242.100", - "10.24.111.229" - ], - "related.user": [ - "dqu", - "idid", - "loi" - ], - "rsa.db.database": "tenatuse", - "rsa.db.index": "ullamcor", - "rsa.internal.event_desc": "ntutlabo", - "rsa.internal.messageid": "160", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "reetd", - "rsa.misc.disposition": "toccaec", - "rsa.misc.group": "rad", - "rsa.misc.group_object": "erun", - "rsa.misc.obj_type": "psaqua", - "rsa.misc.operation_id": "volupt", - "rsa.misc.policy_name": "rem", - "rsa.misc.reference_id": "160", - "rsa.misc.reference_id1": "prehen", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.6255", - "rsa.network.domain": "tesse1089.www.host", - "rsa.network.host_dst": "ptateve6909.www5.lan", - "server.domain": "tesse1089.www.host", - "server.registered_domain": "www.host", - "server.subdomain": "tesse1089", - "server.top_level_domain": "host", - "service.type": "cyberark", - "source.ip": [ - "10.24.111.229" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "dqu" - }, - { - "event.action": "deny", - "event.code": "ons", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "2017-07-25 09:47:41.612538723 +0000 UTC cupi1867.www5.test %CYBERARK: MessageID=\"67\";orroq 1.6677\",ProductAccount=\"ritati\",ProductProcess=\"orisni\",EventId=\"ons\",EventClass=\"remagn\",EventSeverity=\"very-high\",EventMessage=\"deny\",ActingUserName=\"mmodoc\",ActingAddress=\"10.211.179.168\",ActionSourceUser=\"atu\",ActionTargetUser=\"untincul\",ActionObject=\"ssecil\",ActionSafe=\"commodi\",ActionLocation=\"emporain\",ActionCategory=\"ntiumto\",ActionRequestId=\"umetMalo\",ActionReason=\"oluptas\",ActionExtraDetails=\"emvele\"", - "file.directory": "emporain", - "file.name": "ssecil", - "fileset.name": "corepas", - "host.ip": "10.211.179.168", - "input.type": "log", - "log.level": "very-high", - "log.offset": 18304, - "observer.product": "orroq", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.6677", - "related.ip": [ - "10.211.179.168" - ], - "related.user": [ - "mmodoc", - "ritati", - "untincul" - ], - "rsa.db.index": "emvele", - "rsa.internal.event_desc": "oluptas", - "rsa.internal.messageid": "67", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.category": "ntiumto", - "rsa.misc.group_object": "commodi", - "rsa.misc.reference_id": "ons", - "rsa.misc.reference_id1": "umetMalo", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.6677", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "mmodoc" - }, - { - "event.action": "cancel", - "event.code": "olorsi", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "Sedut 2017-08-08 16:50:15.872538723 +0000 UTC yCiceroi2786.www.test %CYBERARK: MessageID=\"141\";iquamqua 1.4890\",ProductAccount=\"dolore\",ProductProcess=\"nsequat\",EventId=\"olorsi\",EventClass=\"aliq\",EventSeverity=\"low\",EventMessage=\"cancel\",ActingUserName=\"mven\",ActingAddress=\"10.30.243.163\",ActionSourceUser=\"oremag\",ActionTargetUser=\"illu\",ActionObject=\"ruredo\",ActionSafe=\"mac\",ActionLocation=\"temUt\",ActionCategory=\"ptassita\",ActionRequestId=\"its\",ActionReason=\"lore\",ActionExtraDetails=\"idol\"", - "file.directory": "temUt", - "file.name": "ruredo", - "fileset.name": "corepas", - "host.ip": "10.30.243.163", - "input.type": "log", - "log.level": "low", - "log.offset": 18809, - "observer.product": "iquamqua", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.4890", - "related.ip": [ - "10.30.243.163" - ], - "related.user": [ - "dolore", - "illu", - "mven" - ], - "rsa.db.index": "idol", - "rsa.internal.event_desc": "lore", - "rsa.internal.messageid": "141", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "ptassita", - "rsa.misc.group_object": "mac", - "rsa.misc.reference_id": "olorsi", - "rsa.misc.reference_id1": "its", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.4890", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "mven" - }, - { - "destination.address": "modocon5089.mail.example", - "destination.port": 5112, - "event.action": "cancel", - "event.code": "26", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "2017-08-22 23:52:50.132538723 +0000 UTC urmag7650.api.invalid %CYBERARK: MessageID=\"26\";Version=1.1844;Message=cancel;Issuer=amvo;Station=10.6.79.159;File=ommodo;Safe=uptat;Location=idex;Category=ptateve;RequestId=cons;Reason=olorese;Severity=high;SourceUser=ore;TargetUser=quid;GatewayStation=10.212.214.4;TicketID=ddoeius;PolicyID=ugiatn;UserName=midestl;LogonDomain=dictasun3878.internal.localhost;Address=modocon5089.mail.example;CPMStatus=lupta;Port=5112;Database=urExce;DeviceType=asi;ExtraDetails=ectiono;", - "file.directory": "idex", - "file.name": "ommodo", - "fileset.name": "corepas", - "group.name": "ore", - "host.ip": "10.6.79.159", - "input.type": "log", - "log.level": "high", - "log.offset": 19305, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.1844", - "related.hosts": [ - "dictasun3878.internal.localhost", - "modocon5089.mail.example" - ], - "related.ip": [ - "10.212.214.4", - "10.6.79.159" - ], - "related.user": [ - "amvo", - "midestl", - "quid" - ], - "rsa.db.database": "urExce", - "rsa.db.index": "ectiono", - "rsa.internal.event_desc": "olorese", - "rsa.internal.messageid": "26", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "ptateve", - "rsa.misc.disposition": "lupta", - "rsa.misc.group": "ore", - "rsa.misc.group_object": "uptat", - "rsa.misc.obj_type": "asi", - "rsa.misc.operation_id": "ddoeius", - "rsa.misc.policy_name": "ugiatn", - "rsa.misc.reference_id": "26", - "rsa.misc.reference_id1": "cons", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.1844", - "rsa.network.domain": "dictasun3878.internal.localhost", - "rsa.network.host_dst": "modocon5089.mail.example", - "server.domain": "dictasun3878.internal.localhost", - "server.registered_domain": "internal.localhost", - "server.subdomain": "dictasun3878", - "server.top_level_domain": "localhost", - "service.type": "cyberark", - "source.ip": [ - "10.212.214.4" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "amvo" - }, - { - "destination.address": "tempor1282.www5.localhost", - "destination.port": 7699, - "event.action": "deny", - "event.code": "150", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "onu 2017-09-06 06:55:24.392538723 +0000 UTC liquaUte6729.api.localhost %CYBERARK: MessageID=\"150\";Version=1.3546;Message=deny;Issuer=atDu;Station=10.237.170.202;File=maperi;Safe=agnaaliq;Location=tlaboree;Category=norumet;RequestId=dtempo;Reason=tin;Severity=low;SourceUser=mve;TargetUser=liquide;GatewayStation=10.70.147.46;TicketID=inv;PolicyID=rroq;UserName=rcit;LogonDomain=aecatcup2241.www5.test;Address=tempor1282.www5.localhost;CPMStatus=incidid;Port=7699;Database=taedict;DeviceType=edquian;ExtraDetails=loremeu;", - "file.directory": "tlaboree", - "file.name": "maperi", - "fileset.name": "corepas", - "group.name": "mve", - "host.ip": "10.237.170.202", - "input.type": "log", - "log.level": "low", - "log.offset": 19818, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.3546", - "related.hosts": [ - "aecatcup2241.www5.test", - "tempor1282.www5.localhost" - ], - "related.ip": [ - "10.237.170.202", - "10.70.147.46" - ], - "related.user": [ - "atDu", - "liquide", - "rcit" - ], - "rsa.db.database": "taedict", - "rsa.db.index": "loremeu", - "rsa.internal.event_desc": "tin", - "rsa.internal.messageid": "150", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.category": "norumet", - "rsa.misc.disposition": "incidid", - "rsa.misc.group": "mve", - "rsa.misc.group_object": "agnaaliq", - "rsa.misc.obj_type": "edquian", - "rsa.misc.operation_id": "inv", - "rsa.misc.policy_name": "rroq", - "rsa.misc.reference_id": "150", - "rsa.misc.reference_id1": "dtempo", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.3546", - "rsa.network.domain": "aecatcup2241.www5.test", - "rsa.network.host_dst": "tempor1282.www5.localhost", - "server.domain": "aecatcup2241.www5.test", - "server.registered_domain": "www5.test", - "server.subdomain": "aecatcup2241", - "server.top_level_domain": "test", - "service.type": "cyberark", - "source.ip": [ - "10.70.147.46" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "atDu" - }, - { - "destination.address": "mipsum2964.invalid", - "destination.port": 6825, - "event.action": "allow", - "event.code": "292", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "dmi 2017-09-20 13:57:58.652538723 +0000 UTC untexpl2847.www5.local %CYBERARK: MessageID=\"292\";Version=1.4282;Message=allow;Issuer=emoe;Station=10.179.50.138;File=ehende;Safe=eaqueip;Location=eum;Category=lamc;RequestId=umetMal;Reason=asper;Severity=high;SourceUser=metcons;TargetUser=itasper;GatewayStation=10.228.118.81;TicketID=temquiav;PolicyID=obeata;UserName=tatemU;LogonDomain=mad5185.www5.localhost;Address=mipsum2964.invalid;CPMStatus=doei;Port=6825;Database=toditaut;DeviceType=voluptat;ExtraDetails=ugit;", - "file.directory": "eum", - "file.name": "ehende", - "fileset.name": "corepas", - "group.name": "metcons", - "host.ip": "10.179.50.138", - "input.type": "log", - "log.level": "high", - "log.offset": 20339, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.4282", - "related.hosts": [ - "mad5185.www5.localhost", - "mipsum2964.invalid" - ], - "related.ip": [ - "10.179.50.138", - "10.228.118.81" - ], - "related.user": [ - "emoe", - "itasper", - "tatemU" - ], - "rsa.db.database": "toditaut", - "rsa.db.index": "ugit", - "rsa.internal.event_desc": "asper", - "rsa.internal.messageid": "292", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.category": "lamc", - "rsa.misc.disposition": "doei", - "rsa.misc.group": "metcons", - "rsa.misc.group_object": "eaqueip", - "rsa.misc.obj_type": "voluptat", - "rsa.misc.operation_id": "temquiav", - "rsa.misc.policy_name": "obeata", - "rsa.misc.reference_id": "292", - "rsa.misc.reference_id1": "umetMal", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.4282", - "rsa.network.domain": "mad5185.www5.localhost", - "rsa.network.host_dst": "mipsum2964.invalid", - "server.domain": "mad5185.www5.localhost", - "server.registered_domain": "www5.localhost", - "server.subdomain": "mad5185", - "server.top_level_domain": "localhost", - "service.type": "cyberark", - "source.ip": [ - "10.228.118.81" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "emoe" - }, - { - "destination.address": "veniamq1236.invalid", - "destination.port": 1458, - "event.action": "cancel", - "event.code": "38", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "October 4 21:00:32 asnu %CYBERARK: MessageID=\"38\";Version=1.3806;Message=cancel;Issuer=henderit;Station=10.49.71.118;File=ationul;Safe=mquisn;Location=queips;Category=midest;RequestId=dex;Reason=ccae;Severity=medium;SourceUser=eavolup;TargetUser=emip;GatewayStation=10.234.165.130;TicketID=ntexplic;PolicyID=uto;UserName=iuntNequ;LogonDomain=esseq7889.www.invalid;Address=veniamq1236.invalid;CPMStatus=emo;Port=1458;Database=veniamqu;DeviceType=licaboN;ExtraDetails=atquo;", - "file.directory": "queips", - "file.name": "ationul", - "fileset.name": "corepas", - "group.name": "eavolup", - "host.ip": "10.49.71.118", - "input.type": "log", - "log.level": "medium", - "log.offset": 20854, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.3806", - "related.hosts": [ - "esseq7889.www.invalid", - "veniamq1236.invalid" - ], - "related.ip": [ - "10.234.165.130", - "10.49.71.118" - ], - "related.user": [ - "emip", - "henderit", - "iuntNequ" - ], - "rsa.db.database": "veniamqu", - "rsa.db.index": "atquo", - "rsa.internal.event_desc": "ccae", - "rsa.internal.messageid": "38", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "midest", - "rsa.misc.disposition": "emo", - "rsa.misc.group": "eavolup", - "rsa.misc.group_object": "mquisn", - "rsa.misc.obj_type": "licaboN", - "rsa.misc.operation_id": "ntexplic", - "rsa.misc.policy_name": "uto", - "rsa.misc.reference_id": "38", - "rsa.misc.reference_id1": "dex", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.3806", - "rsa.network.domain": "esseq7889.www.invalid", - "rsa.network.host_dst": "veniamq1236.invalid", - "server.domain": "esseq7889.www.invalid", - "server.registered_domain": "www.invalid", - "server.subdomain": "esseq7889", - "server.top_level_domain": "invalid", - "service.type": "cyberark", - "source.ip": [ - "10.234.165.130" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "henderit" - }, - { - "event.action": "allow", - "event.code": "tatem", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "udan 2017-10-19 04:03:07.172538723 +0000 UTC yCic5749.www.localhost %CYBERARK: MessageID=\"119\";itanim 1.4024\",ProductAccount=\"olorema\",ProductProcess=\"mollita\",EventId=\"tatem\",EventClass=\"iae\",EventSeverity=\"low\",EventMessage=\"allow\",ActingUserName=\"emip\",ActingAddress=\"10.199.5.49\",ActionSourceUser=\"stquid\",ActionTargetUser=\"turadipi\",ActionObject=\"usmodi\",ActionSafe=\"ree\",ActionLocation=\"saquaea\",ActionCategory=\"ation\",ActionRequestId=\"luptas\",ActionReason=\"minim\",ActionExtraDetails=\"ataevi\"", - "file.directory": "saquaea", - "file.name": "usmodi", - "fileset.name": "corepas", - "host.ip": "10.199.5.49", - "input.type": "log", - "log.level": "low", - "log.offset": 21327, - "observer.product": "itanim", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.4024", - "related.ip": [ - "10.199.5.49" - ], - "related.user": [ - "emip", - "olorema", - "turadipi" - ], - "rsa.db.index": "ataevi", - "rsa.internal.event_desc": "minim", - "rsa.internal.messageid": "119", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.category": "ation", - "rsa.misc.group_object": "ree", - "rsa.misc.reference_id": "tatem", - "rsa.misc.reference_id1": "luptas", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.4024", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "emip" - }, - { - "event.action": "allow", - "event.code": "tionula", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "%CYBERARK: MessageID=\"156\";plic 1.7053\",ProductAccount=\"utlabo\",ProductProcess=\"tetur\",EventId=\"tionula\",EventClass=\"ritqu\",EventSeverity=\"very-high\",EventMessage=\"allow\",ActingUserName=\"uamei\",ActingAddress=\"10.193.219.34\",ActionSourceUser=\"onse\",ActionTargetUser=\"olorem\",ActionObject=\"turvel\",ActionSafe=\"eratv\",ActionLocation=\"ipsa\",ActionCategory=\"asuntexp\",ActionRequestId=\"adminim\",ActionReason=\"orisni\",ActionExtraDetails=\"nse\"", - "file.directory": "ipsa", - "file.name": "turvel", - "fileset.name": "corepas", - "host.ip": "10.193.219.34", - "input.type": "log", - "log.level": "very-high", - "log.offset": 21826, - "observer.product": "plic", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.7053", - "related.ip": [ - "10.193.219.34" - ], - "related.user": [ - "olorem", - "uamei", - "utlabo" - ], - "rsa.db.index": "nse", - "rsa.internal.event_desc": "orisni", - "rsa.internal.messageid": "156", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.category": "asuntexp", - "rsa.misc.group_object": "eratv", - "rsa.misc.reference_id": "tionula", - "rsa.misc.reference_id1": "adminim", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.7053", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "uamei" - }, - { - "destination.address": "taliqui5348.mail.localdomain", - "destination.port": 6816, - "event.action": "allow", - "event.code": "202", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "November 16 18:08:15 nderi %CYBERARK: MessageID=\"202\";Version=1.7083;Message=allow;Issuer=animid;Station=10.120.167.217;File=atuse;Safe=ueipsa;Location=scipitl;Category=eumi;RequestId=quasiarc;Reason=olli;Severity=low;SourceUser=tetura;TargetUser=rsp;GatewayStation=10.174.185.109;TicketID=roquisqu;PolicyID=edolorin;UserName=dolorem;LogonDomain=tem6815.home;Address=taliqui5348.mail.localdomain;CPMStatus=loremag;Port=6816;Database=tsuntinc;DeviceType=inrepreh;ExtraDetails=quovo;", - "file.directory": "scipitl", - "file.name": "atuse", - "fileset.name": "corepas", - "group.name": "tetura", - "host.ip": "10.120.167.217", - "input.type": "log", - "log.level": "low", - "log.offset": 22262, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.7083", - "related.hosts": [ - "taliqui5348.mail.localdomain", - "tem6815.home" - ], - "related.ip": [ - "10.120.167.217", - "10.174.185.109" - ], - "related.user": [ - "animid", - "dolorem", - "rsp" - ], - "rsa.db.database": "tsuntinc", - "rsa.db.index": "quovo", - "rsa.internal.event_desc": "olli", - "rsa.internal.messageid": "202", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.category": "eumi", - "rsa.misc.disposition": "loremag", - "rsa.misc.group": "tetura", - "rsa.misc.group_object": "ueipsa", - "rsa.misc.obj_type": "inrepreh", - "rsa.misc.operation_id": "roquisqu", - "rsa.misc.policy_name": "edolorin", - "rsa.misc.reference_id": "202", - "rsa.misc.reference_id1": "quasiarc", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.7083", - "rsa.network.domain": "tem6815.home", - "rsa.network.host_dst": "taliqui5348.mail.localdomain", - "server.domain": "tem6815.home", - "server.registered_domain": "tem6815.home", - "server.top_level_domain": "home", - "service.type": "cyberark", - "source.ip": [ - "10.174.185.109" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "animid" - }, - { - "destination.address": "atnulapa3548.www.domain", - "destination.port": 5347, - "event.action": "cancel", - "event.code": "133", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "%CYBERARK: MessageID=\"133\";Version=1.1432;Message=cancel;Issuer=atev;Station=10.117.137.159;File=acommodi;Safe=essecill;Location=billoi;Category=moles;RequestId=dipiscin;Reason=olup;Severity=high;SourceUser=undeomni;TargetUser=accusa;GatewayStation=10.141.213.219;TicketID=itat;PolicyID=stlaboru;UserName=ate;LogonDomain=mporainc2064.home;Address=atnulapa3548.www.domain;CPMStatus=radipisc;Port=5347;Database=nibus;DeviceType=vitaed;ExtraDetails=ser;", - "file.directory": "billoi", - "file.name": "acommodi", - "fileset.name": "corepas", - "group.name": "undeomni", - "host.ip": "10.117.137.159", - "input.type": "log", - "log.level": "high", - "log.offset": 22744, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.1432", - "related.hosts": [ - "atnulapa3548.www.domain", - "mporainc2064.home" - ], - "related.ip": [ - "10.117.137.159", - "10.141.213.219" - ], - "related.user": [ - "accusa", - "ate", - "atev" - ], - "rsa.db.database": "nibus", - "rsa.db.index": "ser", - "rsa.internal.event_desc": "olup", - "rsa.internal.messageid": "133", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "moles", - "rsa.misc.disposition": "radipisc", - "rsa.misc.group": "undeomni", - "rsa.misc.group_object": "essecill", - "rsa.misc.obj_type": "vitaed", - "rsa.misc.operation_id": "itat", - "rsa.misc.policy_name": "stlaboru", - "rsa.misc.reference_id": "133", - "rsa.misc.reference_id1": "dipiscin", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.1432", - "rsa.network.domain": "mporainc2064.home", - "rsa.network.host_dst": "atnulapa3548.www.domain", - "server.domain": "mporainc2064.home", - "server.registered_domain": "mporainc2064.home", - "server.top_level_domain": "home", - "service.type": "cyberark", - "source.ip": [ - "10.141.213.219" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "atev" - }, - { - "destination.address": "litesseq6785.host", - "destination.port": 7390, - "event.action": "cancel", - "event.code": "104", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "2017-12-15 08:13:24.212538723 +0000 UTC ill6772.www.invalid %CYBERARK: MessageID=\"104\";Version=1.4043;Message=cancel;Issuer=rem;Station=10.166.90.130;File=mdolore;Safe=eosquira;Location=pta;Category=snos;RequestId=orsi;Reason=tetura;Severity=very-high;SourceUser=lorsita;TargetUser=eavol;GatewayStation=10.94.224.229;TicketID=lupta;PolicyID=npr;UserName=etconsec;LogonDomain=caboNem1043.internal.home;Address=litesseq6785.host;CPMStatus=tob;Port=7390;Database=oditempo;DeviceType=doeiu;ExtraDetails=deF;", - "file.directory": "pta", - "file.name": "mdolore", - "fileset.name": "corepas", - "group.name": "lorsita", - "host.ip": "10.166.90.130", - "input.type": "log", - "log.level": "very-high", - "log.offset": 23195, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.4043", - "related.hosts": [ - "caboNem1043.internal.home", - "litesseq6785.host" - ], - "related.ip": [ - "10.166.90.130", - "10.94.224.229" - ], - "related.user": [ - "eavol", - "etconsec", - "rem" - ], - "rsa.db.database": "oditempo", - "rsa.db.index": "deF", - "rsa.internal.event_desc": "tetura", - "rsa.internal.messageid": "104", - "rsa.investigations.ec_activity": "Disable", - "rsa.investigations.ec_subject": "User", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "snos", - "rsa.misc.disposition": "tob", - "rsa.misc.group": "lorsita", - "rsa.misc.group_object": "eosquira", - "rsa.misc.obj_type": "doeiu", - "rsa.misc.operation_id": "lupta", - "rsa.misc.policy_name": "npr", - "rsa.misc.reference_id": "104", - "rsa.misc.reference_id1": "orsi", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.4043", - "rsa.network.domain": "caboNem1043.internal.home", - "rsa.network.host_dst": "litesseq6785.host", - "server.domain": "caboNem1043.internal.home", - "server.registered_domain": "internal.home", - "server.subdomain": "caboNem1043", - "server.top_level_domain": "home", - "service.type": "cyberark", - "source.ip": [ - "10.94.224.229" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "rem" - }, - { - "destination.address": "onnu2272.mail.corp", - "destination.port": 6064, - "event.action": "deny", - "event.code": "316", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "rcitat 2017-12-29 15:15:58.472538723 +0000 UTC dolorema2984.www.home %CYBERARK: MessageID=\"316\";Version=1.2456;Message=deny;Issuer=tiumto;Station=10.38.28.151;File=nrepreh;Safe=ratv;Location=alorum;Category=mquisn;RequestId=atq;Reason=erspi;Severity=low;SourceUser=ugiatquo;TargetUser=incidid;GatewayStation=10.201.81.46;TicketID=sBonor;PolicyID=fugits;UserName=mipsumqu;LogonDomain=tatio6513.www.invalid;Address=onnu2272.mail.corp;CPMStatus=atatnon;Port=6064;Database=abor;DeviceType=magnid;ExtraDetails=adol;", - "file.directory": "alorum", - "file.name": "nrepreh", - "fileset.name": "corepas", - "group.name": "ugiatquo", - "host.ip": "10.38.28.151", - "input.type": "log", - "log.level": "low", - "log.offset": 23699, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.2456", - "related.hosts": [ - "onnu2272.mail.corp", - "tatio6513.www.invalid" - ], - "related.ip": [ - "10.201.81.46", - "10.38.28.151" - ], - "related.user": [ - "incidid", - "mipsumqu", - "tiumto" - ], - "rsa.db.database": "abor", - "rsa.db.index": "adol", - "rsa.internal.event_desc": "erspi", - "rsa.internal.messageid": "316", - "rsa.investigations.ec_activity": "Modify", - "rsa.investigations.ec_theme": "Password", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.category": "mquisn", - "rsa.misc.disposition": "atatnon", - "rsa.misc.group": "ugiatquo", - "rsa.misc.group_object": "ratv", - "rsa.misc.obj_type": "magnid", - "rsa.misc.operation_id": "sBonor", - "rsa.misc.policy_name": "fugits", - "rsa.misc.reference_id": "316", - "rsa.misc.reference_id1": "atq", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.2456", - "rsa.network.domain": "tatio6513.www.invalid", - "rsa.network.host_dst": "onnu2272.mail.corp", - "server.domain": "tatio6513.www.invalid", - "server.registered_domain": "www.invalid", - "server.subdomain": "tatio6513", - "server.top_level_domain": "invalid", - "service.type": "cyberark", - "source.ip": [ - "10.201.81.46" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "tiumto" - }, - { - "destination.address": "llit958.www.domain", - "destination.port": 2957, - "event.action": "deny", - "event.code": "266", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "January 12 22:18:32 niam %CYBERARK: MessageID=\"266\";Version=1.2721;Message=deny;Issuer=rerepre;Station=10.214.245.95;File=quiineav;Safe=billoinv;Location=sci;Category=col;RequestId=obea;Reason=emp;Severity=medium;SourceUser=luptas;TargetUser=uptatem;GatewayStation=10.255.28.56;TicketID=inrepr;PolicyID=mol;UserName=umdolors;LogonDomain=dolori6232.api.invalid;Address=llit958.www.domain;CPMStatus=tat;Port=2957;Database=odt;DeviceType=cillumd;ExtraDetails=riosa;", - "file.directory": "sci", - "file.name": "quiineav", - "fileset.name": "corepas", - "group.name": "luptas", - "host.ip": "10.214.245.95", - "input.type": "log", - "log.level": "medium", - "log.offset": 24210, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.2721", - "related.hosts": [ - "dolori6232.api.invalid", - "llit958.www.domain" - ], - "related.ip": [ - "10.214.245.95", - "10.255.28.56" - ], - "related.user": [ - "rerepre", - "umdolors", - "uptatem" - ], - "rsa.db.database": "odt", - "rsa.db.index": "riosa", - "rsa.internal.event_desc": "emp", - "rsa.internal.messageid": "266", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.category": "col", - "rsa.misc.disposition": "tat", - "rsa.misc.group": "luptas", - "rsa.misc.group_object": "billoinv", - "rsa.misc.obj_type": "cillumd", - "rsa.misc.operation_id": "inrepr", - "rsa.misc.policy_name": "mol", - "rsa.misc.reference_id": "266", - "rsa.misc.reference_id1": "obea", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.2721", - "rsa.network.domain": "dolori6232.api.invalid", - "rsa.network.host_dst": "llit958.www.domain", - "server.domain": "dolori6232.api.invalid", - "server.registered_domain": "api.invalid", - "server.subdomain": "dolori6232", - "server.top_level_domain": "invalid", - "service.type": "cyberark", - "source.ip": [ - "10.255.28.56" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "rerepre" - }, - { - "event.action": "cancel", - "event.code": "nim", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "January 27 05:21:06 lapar %CYBERARK: MessageID=\"311\";ritati 1.3219\",ProductAccount=\"qui\",ProductProcess=\"otamr\",EventId=\"nim\",EventClass=\"ame\",EventSeverity=\"very-high\",EventMessage=\"cancel\",ActingUserName=\"mip\",ActingAddress=\"10.45.35.180\",ActionSourceUser=\"mvolupta\",ActionTargetUser=\"Utenima\",ActionObject=\"iqua\",ActionSafe=\"luptat\",ActionLocation=\"deriti\",ActionCategory=\"sintocc\",ActionRequestId=\"cididu\",ActionReason=\"uteir\",ActionExtraDetails=\"boree\"", - "file.directory": "deriti", - "file.name": "iqua", - "fileset.name": "corepas", - "host.ip": "10.45.35.180", - "input.type": "log", - "log.level": "very-high", - "log.offset": 24673, - "observer.product": "ritati", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.3219", - "related.ip": [ - "10.45.35.180" - ], - "related.user": [ - "Utenima", - "mip", - "qui" - ], - "rsa.db.index": "boree", - "rsa.internal.event_desc": "uteir", - "rsa.internal.messageid": "311", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "sintocc", - "rsa.misc.group_object": "luptat", - "rsa.misc.reference_id": "nim", - "rsa.misc.reference_id1": "cididu", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.3219", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "mip" - }, - { - "event.action": "accept", - "event.code": "scivel", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "February 10 12:23:41 diduntu %CYBERARK: MessageID=\"285\";eiusmod 1.7546\",ProductAccount=\"ess\",ProductProcess=\"uide\",EventId=\"scivel\",EventClass=\"henderi\",EventSeverity=\"low\",EventMessage=\"accept\",ActingUserName=\"enim\",ActingAddress=\"10.141.200.133\",ActionSourceUser=\"ersp\",ActionTargetUser=\"iame\",ActionObject=\"orroquis\",ActionSafe=\"aquio\",ActionLocation=\"riatu\",ActionCategory=\"loinve\",ActionRequestId=\"tanimid\",ActionReason=\"isnostru\",ActionExtraDetails=\"nofdeFi\"", - "file.directory": "riatu", - "file.name": "orroquis", - "fileset.name": "corepas", - "host.ip": "10.141.200.133", - "input.type": "log", - "log.level": "low", - "log.offset": 25131, - "observer.product": "eiusmod", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.7546", - "related.ip": [ - "10.141.200.133" - ], - "related.user": [ - "enim", - "ess", - "iame" - ], - "rsa.db.index": "nofdeFi", - "rsa.internal.event_desc": "isnostru", - "rsa.internal.messageid": "285", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.category": "loinve", - "rsa.misc.group_object": "aquio", - "rsa.misc.reference_id": "scivel", - "rsa.misc.reference_id1": "tanimid", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.7546", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "enim" - }, - { - "event.action": "accept", - "event.code": "rationev", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "%CYBERARK: MessageID=\"155\";ulap 1.3765\",ProductAccount=\"illoi\",ProductProcess=\"reetdolo\",EventId=\"rationev\",EventClass=\"ehender\",EventSeverity=\"medium\",EventMessage=\"accept\",ActingUserName=\"ugi\",ActingAddress=\"10.83.238.145\",ActionSourceUser=\"ptatems\",ActionTargetUser=\"runtmo\",ActionObject=\"ore\",ActionSafe=\"isund\",ActionLocation=\"exerci\",ActionCategory=\"tas\",ActionRequestId=\"oraincid\",ActionReason=\"quaer\",ActionExtraDetails=\"eetdo\"", - "file.directory": "exerci", - "file.name": "ore", - "fileset.name": "corepas", - "host.ip": "10.83.238.145", - "input.type": "log", - "log.level": "medium", - "log.offset": 25596, - "observer.product": "ulap", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.3765", - "related.ip": [ - "10.83.238.145" - ], - "related.user": [ - "illoi", - "runtmo", - "ugi" - ], - "rsa.db.index": "eetdo", - "rsa.internal.event_desc": "quaer", - "rsa.internal.messageid": "155", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.category": "tas", - "rsa.misc.group_object": "isund", - "rsa.misc.reference_id": "rationev", - "rsa.misc.reference_id1": "oraincid", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.3765", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "ugi" - }, - { - "destination.address": "llamc6724.www.lan", - "destination.port": 4020, - "event.action": "block", - "event.code": "48", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "2018-03-11 02:28:49.772538723 +0000 UTC aali6869.api.localdomain %CYBERARK: MessageID=\"48\";Version=1.3147;Message=block;Issuer=sedquiac;Station=10.39.143.155;File=ipsaqu;Safe=nisiut;Location=rumwri;Category=velill;RequestId=ore;Reason=tation;Severity=very-high;SourceUser=porincid;TargetUser=tperspic;GatewayStation=10.41.89.217;TicketID=ict;PolicyID=squirati;UserName=tem;LogonDomain=mestq2106.api.host;Address=llamc6724.www.lan;CPMStatus=tesseci;Port=4020;Database=radipis;DeviceType=cive;ExtraDetails=nse;", - "file.directory": "rumwri", - "file.name": "ipsaqu", - "fileset.name": "corepas", - "group.name": "porincid", - "host.ip": "10.39.143.155", - "input.type": "log", - "log.level": "very-high", - "log.offset": 26032, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.3147", - "related.hosts": [ - "llamc6724.www.lan", - "mestq2106.api.host" - ], - "related.ip": [ - "10.39.143.155", - "10.41.89.217" - ], - "related.user": [ - "sedquiac", - "tem", - "tperspic" - ], - "rsa.db.database": "radipis", - "rsa.db.index": "nse", - "rsa.internal.event_desc": "tation", - "rsa.internal.messageid": "48", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.category": "velill", - "rsa.misc.disposition": "tesseci", - "rsa.misc.group": "porincid", - "rsa.misc.group_object": "nisiut", - "rsa.misc.obj_type": "cive", - "rsa.misc.operation_id": "ict", - "rsa.misc.policy_name": "squirati", - "rsa.misc.reference_id": "48", - "rsa.misc.reference_id1": "ore", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.3147", - "rsa.network.domain": "mestq2106.api.host", - "rsa.network.host_dst": "llamc6724.www.lan", - "server.domain": "mestq2106.api.host", - "server.registered_domain": "api.host", - "server.subdomain": "mestq2106", - "server.top_level_domain": "host", - "service.type": "cyberark", - "source.ip": [ - "10.41.89.217" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "sedquiac" - }, - { - "destination.address": "reseosqu1629.mail.lan", - "destination.port": 5325, - "event.action": "accept", - "event.code": "378", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "isnisiu 2018-03-25 09:31:24.032538723 +0000 UTC suntincu2940.www5.domain %CYBERARK: MessageID=\"378\";Version=1.6382;Message=accept;Issuer=minim;Station=10.5.5.1;File=reseosq;Safe=gna;Location=isiutali;Category=lumqu;RequestId=onulamco;Reason=ons;Severity=low;SourceUser=uptat;TargetUser=unt;GatewayStation=10.153.123.20;TicketID=tla;PolicyID=mquiad;UserName=CSe;LogonDomain=lors7553.api.local;Address=reseosqu1629.mail.lan;CPMStatus=utemvel;Port=5325;Database=atu;DeviceType=iusm;ExtraDetails=roi;", - "file.directory": "isiutali", - "file.name": "reseosq", - "fileset.name": "corepas", - "group.name": "uptat", - "host.ip": "10.5.5.1", - "input.type": "log", - "log.level": "low", - "log.offset": 26541, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.6382", - "related.hosts": [ - "lors7553.api.local", - "reseosqu1629.mail.lan" - ], - "related.ip": [ - "10.153.123.20", - "10.5.5.1" - ], - "related.user": [ - "CSe", - "minim", - "unt" - ], - "rsa.db.database": "atu", - "rsa.db.index": "roi", - "rsa.internal.event_desc": "ons", - "rsa.internal.messageid": "378", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.category": "lumqu", - "rsa.misc.disposition": "utemvel", - "rsa.misc.group": "uptat", - "rsa.misc.group_object": "gna", - "rsa.misc.obj_type": "iusm", - "rsa.misc.operation_id": "tla", - "rsa.misc.policy_name": "mquiad", - "rsa.misc.reference_id": "378", - "rsa.misc.reference_id1": "onulamco", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.6382", - "rsa.network.domain": "lors7553.api.local", - "rsa.network.host_dst": "reseosqu1629.mail.lan", - "server.domain": "lors7553.api.local", - "server.registered_domain": "api.local", - "server.subdomain": "lors7553", - "server.top_level_domain": "local", - "service.type": "cyberark", - "source.ip": [ - "10.153.123.20" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "minim" - }, - { - "destination.address": "orumSe4514.www.corp", - "destination.port": 80, - "event.action": "deny", - "event.code": "269", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "2018-04-08 16:33:58.292538723 +0000 UTC rere5274.mail.domain %CYBERARK: MessageID=\"269\";Version=1.3193;Message=deny;Issuer=iamea;Station=10.210.61.109;File=tiumto;Safe=cor;Location=odoco;Category=oin;RequestId=itseddoe;Reason=elites;Severity=low;SourceUser=uamei;TargetUser=eursinto;GatewayStation=10.168.132.175;TicketID=licaboNe;PolicyID=tautfug;UserName=giatquov;LogonDomain=olu5333.www.domain;Address=orumSe4514.www.corp;CPMStatus=umquam;Port=80;Database=ici;DeviceType=nisiuta;ExtraDetails=iquaUt;", - "file.directory": "odoco", - "file.name": "tiumto", - "fileset.name": "corepas", - "group.name": "uamei", - "host.ip": "10.210.61.109", - "input.type": "log", - "log.level": "low", - "log.offset": 27038, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.3193", - "related.hosts": [ - "olu5333.www.domain", - "orumSe4514.www.corp" - ], - "related.ip": [ - "10.168.132.175", - "10.210.61.109" - ], - "related.user": [ - "eursinto", - "giatquov", - "iamea" - ], - "rsa.db.database": "ici", - "rsa.db.index": "iquaUt", - "rsa.internal.event_desc": "elites", - "rsa.internal.messageid": "269", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.category": "oin", - "rsa.misc.disposition": "umquam", - "rsa.misc.group": "uamei", - "rsa.misc.group_object": "cor", - "rsa.misc.obj_type": "nisiuta", - "rsa.misc.operation_id": "licaboNe", - "rsa.misc.policy_name": "tautfug", - "rsa.misc.reference_id": "269", - "rsa.misc.reference_id1": "itseddoe", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.3193", - "rsa.network.domain": "olu5333.www.domain", - "rsa.network.host_dst": "orumSe4514.www.corp", - "server.domain": "olu5333.www.domain", - "server.registered_domain": "www.domain", - "server.subdomain": "olu5333", - "server.top_level_domain": "domain", - "service.type": "cyberark", - "source.ip": [ - "10.168.132.175" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "iamea" - }, - { - "event.action": "accept", - "event.code": "olup", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "%CYBERARK: MessageID=\"176\";atnula 1.5038\",ProductAccount=\"lmo\",ProductProcess=\"iquidex\",EventId=\"olup\",EventClass=\"remipsu\",EventSeverity=\"low\",EventMessage=\"accept\",ActingUserName=\"quiac\",ActingAddress=\"10.123.154.17\",ActionSourceUser=\"etdol\",ActionTargetUser=\"dolorsi\",ActionObject=\"nturmag\",ActionSafe=\"tura\",ActionLocation=\"osquirat\",ActionCategory=\"equat\",ActionRequestId=\"aliquid\",ActionReason=\"usantiu\",ActionExtraDetails=\"idunt\"", - "file.directory": "osquirat", - "file.name": "nturmag", - "fileset.name": "corepas", - "host.ip": "10.123.154.17", - "input.type": "log", - "log.level": "low", - "log.offset": 27541, - "observer.product": "atnula", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.5038", - "related.ip": [ - "10.123.154.17" - ], - "related.user": [ - "dolorsi", - "lmo", - "quiac" - ], - "rsa.db.index": "idunt", - "rsa.internal.event_desc": "usantiu", - "rsa.internal.messageid": "176", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.category": "equat", - "rsa.misc.group_object": "tura", - "rsa.misc.reference_id": "olup", - "rsa.misc.reference_id1": "aliquid", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.5038", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "quiac" - }, - { - "event.action": "deny", - "event.code": "lpaquiof", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "%CYBERARK: MessageID=\"4\";min 1.136\",ProductAccount=\"xplic\",ProductProcess=\"eseruntm\",EventId=\"lpaquiof\",EventClass=\"oloreeu\",EventSeverity=\"very-high\",EventMessage=\"deny\",ActingUserName=\"etquasia\",ActingAddress=\"10.169.123.103\",ActionSourceUser=\"riatur\",ActionTargetUser=\"oeni\",ActionObject=\"dol\",ActionSafe=\"dol\",ActionLocation=\"atur\",ActionCategory=\"issu\",ActionRequestId=\"identsu\",ActionReason=\"piscivel\",ActionExtraDetails=\"hend\"", - "event.outcome": "failure", - "file.directory": "atur", - "file.name": "dol", - "fileset.name": "corepas", - "host.ip": "10.169.123.103", - "input.type": "log", - "log.level": "very-high", - "log.offset": 27978, - "observer.product": "min", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.136", - "related.ip": [ - "10.169.123.103" - ], - "related.user": [ - "etquasia", - "oeni", - "xplic" - ], - "rsa.db.index": "hend", - "rsa.internal.event_desc": "piscivel", - "rsa.internal.messageid": "4", - "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.category": "issu", - "rsa.misc.group_object": "dol", - "rsa.misc.reference_id": "lpaquiof", - "rsa.misc.reference_id1": "identsu", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.136", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "etquasia" - }, - { - "event.action": "cancel", - "event.code": "scipi", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "%CYBERARK: MessageID=\"276\";aer 1.7744\",ProductAccount=\"iati\",ProductProcess=\"minim\",EventId=\"scipi\",EventClass=\"tur\",EventSeverity=\"very-high\",EventMessage=\"cancel\",ActingUserName=\"Nemoenim\",ActingAddress=\"10.126.205.76\",ActionSourceUser=\"etur\",ActionTargetUser=\"rsitvol\",ActionObject=\"utali\",ActionSafe=\"sed\",ActionLocation=\"xeac\",ActionCategory=\"umdolors\",ActionRequestId=\"lumdo\",ActionReason=\"acom\",ActionExtraDetails=\"eFini\"", - "file.directory": "xeac", - "file.name": "utali", - "fileset.name": "corepas", - "host.ip": "10.126.205.76", - "input.type": "log", - "log.level": "very-high", - "log.offset": 28412, - "observer.product": "aer", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.7744", - "related.ip": [ - "10.126.205.76" - ], - "related.user": [ - "Nemoenim", - "iati", - "rsitvol" - ], - "rsa.db.index": "eFini", - "rsa.internal.event_desc": "acom", - "rsa.internal.messageid": "276", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "umdolors", - "rsa.misc.group_object": "sed", - "rsa.misc.reference_id": "scipi", - "rsa.misc.reference_id1": "lumdo", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.7744", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "Nemoenim" - }, - { - "destination.address": "mmodoco2581.www5.host", - "destination.port": 3575, - "event.action": "accept", - "event.code": "38", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "June 4 20:44:15 uovol %CYBERARK: MessageID=\"38\";Version=1.3184;Message=accept;Issuer=eufug;Station=10.164.66.154;File=est;Safe=civelits;Location=ici;Category=snulap;RequestId=enimadm;Reason=stenatu;Severity=very-high;SourceUser=sitvo;TargetUser=ine;GatewayStation=10.169.101.161;TicketID=itessequ;PolicyID=iusmodit;UserName=orissu;LogonDomain=fic5107.home;Address=mmodoco2581.www5.host;CPMStatus=isiutali;Port=3575;Database=stquidol;DeviceType=Nemoenim;ExtraDetails=imadmini;", - "file.directory": "ici", - "file.name": "est", - "fileset.name": "corepas", - "group.name": "sitvo", - "host.ip": "10.164.66.154", - "input.type": "log", - "log.level": "very-high", - "log.offset": 28841, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.3184", - "related.hosts": [ - "fic5107.home", - "mmodoco2581.www5.host" - ], - "related.ip": [ - "10.164.66.154", - "10.169.101.161" - ], - "related.user": [ - "eufug", - "ine", - "orissu" - ], - "rsa.db.database": "stquidol", - "rsa.db.index": "imadmini", - "rsa.internal.event_desc": "stenatu", - "rsa.internal.messageid": "38", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.category": "snulap", - "rsa.misc.disposition": "isiutali", - "rsa.misc.group": "sitvo", - "rsa.misc.group_object": "civelits", - "rsa.misc.obj_type": "Nemoenim", - "rsa.misc.operation_id": "itessequ", - "rsa.misc.policy_name": "iusmodit", - "rsa.misc.reference_id": "38", - "rsa.misc.reference_id1": "enimadm", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.3184", - "rsa.network.domain": "fic5107.home", - "rsa.network.host_dst": "mmodoco2581.www5.host", - "server.domain": "fic5107.home", - "server.registered_domain": "fic5107.home", - "server.top_level_domain": "home", - "service.type": "cyberark", - "source.ip": [ - "10.169.101.161" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "eufug" - }, - { - "event.action": "block", - "event.code": "ons", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "amvo 2018-06-19 03:46:49.592538723 +0000 UTC tnul6235.www5.lan %CYBERARK: MessageID=\"79\";isau 1.1480\",ProductAccount=\"ihilmole\",ProductProcess=\"saquaea\",EventId=\"ons\",EventClass=\"orsitam\",EventSeverity=\"medium\",EventMessage=\"block\",ActingUserName=\"metco\",ActingAddress=\"10.70.83.200\",ActionSourceUser=\"riame\",ActionTargetUser=\"riat\",ActionObject=\"sseq\",ActionSafe=\"eriam\",ActionLocation=\"pernat\",ActionCategory=\"udan\",ActionRequestId=\"archi\",ActionReason=\"iutaliq\",ActionExtraDetails=\"urQuis\"", - "file.directory": "pernat", - "file.name": "sseq", - "fileset.name": "corepas", - "host.ip": "10.70.83.200", - "input.type": "log", - "log.level": "medium", - "log.offset": 29317, - "observer.product": "isau", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.1480", - "related.ip": [ - "10.70.83.200" - ], - "related.user": [ - "ihilmole", - "metco", - "riat" - ], - "rsa.db.index": "urQuis", - "rsa.internal.event_desc": "iutaliq", - "rsa.internal.messageid": "79", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.category": "udan", - "rsa.misc.group_object": "eriam", - "rsa.misc.reference_id": "ons", - "rsa.misc.reference_id1": "archi", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.1480", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "metco" - }, - { - "destination.address": "oremqu7663.local", - "destination.port": 5816, - "event.action": "block", - "event.code": "53", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "July 3 10:49:23 orum %CYBERARK: MessageID=\"53\";Version=1.4887;Message=block;Issuer=madminim;Station=10.207.97.192;File=quio;Safe=eom;Location=teni;Category=ipiscive;RequestId=dant;Reason=etdolor;Severity=high;SourceUser=paria;TargetUser=mmod;GatewayStation=10.134.55.11;TicketID=amqu;PolicyID=lorsitam;UserName=tanimid;LogonDomain=onpr47.api.home;Address=oremqu7663.local;CPMStatus=llumq;Port=5816;Database=tetura;DeviceType=rumet;ExtraDetails=uptasnul;", - "file.directory": "teni", - "file.name": "quio", - "fileset.name": "corepas", - "group.name": "paria", - "host.ip": "10.207.97.192", - "input.type": "log", - "log.level": "high", - "log.offset": 29810, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.4887", - "related.hosts": [ - "onpr47.api.home", - "oremqu7663.local" - ], - "related.ip": [ - "10.134.55.11", - "10.207.97.192" - ], - "related.user": [ - "madminim", - "mmod", - "tanimid" - ], - "rsa.db.database": "tetura", - "rsa.db.index": "uptasnul", - "rsa.internal.event_desc": "etdolor", - "rsa.internal.messageid": "53", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.category": "ipiscive", - "rsa.misc.disposition": "llumq", - "rsa.misc.group": "paria", - "rsa.misc.group_object": "eom", - "rsa.misc.obj_type": "rumet", - "rsa.misc.operation_id": "amqu", - "rsa.misc.policy_name": "lorsitam", - "rsa.misc.reference_id": "53", - "rsa.misc.reference_id1": "dant", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.4887", - "rsa.network.domain": "onpr47.api.home", - "rsa.network.host_dst": "oremqu7663.local", - "server.domain": "onpr47.api.home", - "server.registered_domain": "api.home", - "server.subdomain": "onpr47", - "server.top_level_domain": "home", - "service.type": "cyberark", - "source.ip": [ - "10.134.55.11" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "madminim" - }, - { - "destination.address": "eve234.www5.local", - "destination.port": 2783, - "event.action": "cancel", - "event.code": "75", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "2018-07-17 17:51:58.112538723 +0000 UTC nde2358.mail.corp %CYBERARK: MessageID=\"75\";Version=1.3601;Message=cancel;Issuer=texplica;Station=10.52.150.104;File=esse;Safe=veniam;Location=edquian;Category=sus;RequestId=imavenia;Reason=expli;Severity=low;SourceUser=orum;TargetUser=oinBCSed;GatewayStation=10.31.187.19;TicketID=ilm;PolicyID=mvel;UserName=eritq;LogonDomain=rehen4859.api.host;Address=eve234.www5.local;CPMStatus=nula;Port=2783;Database=lit;DeviceType=santi;ExtraDetails=ritati;", - "file.directory": "edquian", - "file.name": "esse", - "fileset.name": "corepas", - "group.name": "orum", - "host.ip": "10.52.150.104", - "input.type": "log", - "log.level": "low", - "log.offset": 30264, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.3601", - "related.hosts": [ - "eve234.www5.local", - "rehen4859.api.host" - ], - "related.ip": [ - "10.31.187.19", - "10.52.150.104" - ], - "related.user": [ - "eritq", - "oinBCSed", - "texplica" - ], - "rsa.db.database": "lit", - "rsa.db.index": "ritati", - "rsa.internal.event_desc": "expli", - "rsa.internal.messageid": "75", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "sus", - "rsa.misc.disposition": "nula", - "rsa.misc.group": "orum", - "rsa.misc.group_object": "veniam", - "rsa.misc.obj_type": "santi", - "rsa.misc.operation_id": "ilm", - "rsa.misc.policy_name": "mvel", - "rsa.misc.reference_id": "75", - "rsa.misc.reference_id1": "imavenia", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.3601", - "rsa.network.domain": "rehen4859.api.host", - "rsa.network.host_dst": "eve234.www5.local", - "server.domain": "rehen4859.api.host", - "server.registered_domain": "api.host", - "server.subdomain": "rehen4859", - "server.top_level_domain": "host", - "service.type": "cyberark", - "source.ip": [ - "10.31.187.19" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "texplica" - }, - { - "destination.address": "fficia2304.www5.home", - "destination.port": 2396, - "event.action": "allow", - "event.code": "89", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "dip 2018-08-01 00:54:32.372538723 +0000 UTC idolo5292.local %CYBERARK: MessageID=\"89\";Version=1.3175;Message=allow;Issuer=runtm;Station=10.41.232.147;File=psumd;Safe=oloree;Location=seos;Category=rios;RequestId=labo;Reason=lpaquiof;Severity=high;SourceUser=mcorpo;TargetUser=ntexpl;GatewayStation=10.61.175.217;TicketID=enbyCi;PolicyID=reetdo;UserName=tat;LogonDomain=eufugia4481.corp;Address=fficia2304.www5.home;CPMStatus=vel;Port=2396;Database=rere;DeviceType=pta;ExtraDetails=nonn;", - "file.directory": "seos", - "file.name": "psumd", - "fileset.name": "corepas", - "group.name": "mcorpo", - "host.ip": "10.41.232.147", - "input.type": "log", - "log.level": "high", - "log.offset": 30752, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.3175", - "related.hosts": [ - "eufugia4481.corp", - "fficia2304.www5.home" - ], - "related.ip": [ - "10.41.232.147", - "10.61.175.217" - ], - "related.user": [ - "ntexpl", - "runtm", - "tat" - ], - "rsa.db.database": "rere", - "rsa.db.index": "nonn", - "rsa.internal.event_desc": "lpaquiof", - "rsa.internal.messageid": "89", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.category": "rios", - "rsa.misc.disposition": "vel", - "rsa.misc.group": "mcorpo", - "rsa.misc.group_object": "oloree", - "rsa.misc.obj_type": "pta", - "rsa.misc.operation_id": "enbyCi", - "rsa.misc.policy_name": "reetdo", - "rsa.misc.reference_id": "89", - "rsa.misc.reference_id1": "labo", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.3175", - "rsa.network.domain": "eufugia4481.corp", - "rsa.network.host_dst": "fficia2304.www5.home", - "server.domain": "eufugia4481.corp", - "server.registered_domain": "eufugia4481.corp", - "server.top_level_domain": "corp", - "service.type": "cyberark", - "source.ip": [ - "10.61.175.217" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "runtm" - }, - { - "event.action": "deny", - "event.code": "ntut", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "August 15 07:57:06 volup %CYBERARK: MessageID=\"261\";ptate 1.3830\",ProductAccount=\"uisnos\",ProductProcess=\"quamqua\",EventId=\"ntut\",EventClass=\"mag\",EventSeverity=\"very-high\",EventMessage=\"deny\",ActingUserName=\"mini\",ActingAddress=\"10.150.30.95\",ActionSourceUser=\"tur\",ActionTargetUser=\"atnonpr\",ActionObject=\"ita\",ActionSafe=\"amquaer\",ActionLocation=\"aqui\",ActionCategory=\"enby\",ActionRequestId=\"lpa\",ActionReason=\"isn\",ActionExtraDetails=\"smod\"", - "file.directory": "aqui", - "file.name": "ita", - "fileset.name": "corepas", - "host.ip": "10.150.30.95", - "input.type": "log", - "log.level": "very-high", - "log.offset": 31238, - "observer.product": "ptate", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.3830", - "related.ip": [ - "10.150.30.95" - ], - "related.user": [ - "atnonpr", - "mini", - "uisnos" - ], - "rsa.db.index": "smod", - "rsa.internal.event_desc": "isn", - "rsa.internal.messageid": "261", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.category": "enby", - "rsa.misc.group_object": "amquaer", - "rsa.misc.reference_id": "ntut", - "rsa.misc.reference_id1": "lpa", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.3830", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "mini" - }, - { - "event.action": "deny", - "event.code": "inesciu", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "August 29 14:59:40 siuta %CYBERARK: MessageID=\"66\";atev 1.6626\",ProductAccount=\"CSe\",ProductProcess=\"exerci\",EventId=\"inesciu\",EventClass=\"quid\",EventSeverity=\"high\",EventMessage=\"deny\",ActingUserName=\"onse\",ActingAddress=\"10.98.71.45\",ActionSourceUser=\"destla\",ActionTargetUser=\"fugitse\",ActionObject=\"minimve\",ActionSafe=\"serrorsi\",ActionLocation=\"tametco\",ActionCategory=\"mquisnos\",ActionRequestId=\"lore\",ActionReason=\"isci\",ActionExtraDetails=\"Dui\"", - "file.directory": "tametco", - "file.name": "minimve", - "fileset.name": "corepas", - "host.ip": "10.98.71.45", - "input.type": "log", - "log.level": "high", - "log.offset": 31683, - "observer.product": "atev", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.6626", - "related.ip": [ - "10.98.71.45" - ], - "related.user": [ - "CSe", - "fugitse", - "onse" - ], - "rsa.db.index": "Dui", - "rsa.internal.event_desc": "isci", - "rsa.internal.messageid": "66", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.category": "mquisnos", - "rsa.misc.group_object": "serrorsi", - "rsa.misc.reference_id": "inesciu", - "rsa.misc.reference_id1": "lore", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.6626", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "onse" - }, - { - "event.action": "deny", - "event.code": "ianonnum", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "lup 2018-09-12 22:02:15.152538723 +0000 UTC iumtotam1010.www5.corp %CYBERARK: MessageID=\"168\";userror 1.5986\",ProductAccount=\"nonn\",ProductProcess=\"hite\",EventId=\"ianonnum\",EventClass=\"nofdeFi\",EventSeverity=\"medium\",EventMessage=\"deny\",ActingUserName=\"remq\",ActingAddress=\"10.252.251.143\",ActionSourceUser=\"velill\",ActionTargetUser=\"rspic\",ActionObject=\"orinrepr\",ActionSafe=\"ror\",ActionLocation=\"onsecte\",ActionCategory=\"doei\",ActionRequestId=\"nvolupta\",ActionReason=\"tev\",ActionExtraDetails=\"nre\"", - "file.directory": "onsecte", - "file.name": "orinrepr", - "fileset.name": "corepas", - "host.ip": "10.252.251.143", - "input.type": "log", - "log.level": "medium", - "log.offset": 32136, - "observer.product": "userror", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.5986", - "related.ip": [ - "10.252.251.143" - ], - "related.user": [ - "nonn", - "remq", - "rspic" - ], - "rsa.db.index": "nre", - "rsa.internal.event_desc": "tev", - "rsa.internal.messageid": "168", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.category": "doei", - "rsa.misc.group_object": "ror", - "rsa.misc.reference_id": "ianonnum", - "rsa.misc.reference_id1": "nvolupta", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.5986", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "remq" - }, - { - "event.action": "accept", - "event.code": "lupta", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "%CYBERARK: MessageID=\"274\";lumdolor 1.4706\",ProductAccount=\"eserun\",ProductProcess=\"rvelill\",EventId=\"lupta\",EventClass=\"byC\",EventSeverity=\"high\",EventMessage=\"accept\",ActingUserName=\"uta\",ActingAddress=\"10.197.203.167\",ActionSourceUser=\"ulapa\",ActionTargetUser=\"iumdo\",ActionObject=\"iusmodit\",ActionSafe=\"aturv\",ActionLocation=\"ectetura\",ActionCategory=\"obeataev\",ActionRequestId=\"umf\",ActionReason=\"olesti\",ActionExtraDetails=\"smo\"", - "file.directory": "ectetura", - "file.name": "iusmodit", - "fileset.name": "corepas", - "host.ip": "10.197.203.167", - "input.type": "log", - "log.level": "high", - "log.offset": 32636, - "observer.product": "lumdolor", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.4706", - "related.ip": [ - "10.197.203.167" - ], - "related.user": [ - "eserun", - "iumdo", - "uta" - ], - "rsa.db.index": "smo", - "rsa.internal.event_desc": "olesti", - "rsa.internal.messageid": "274", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.category": "obeataev", - "rsa.misc.group_object": "aturv", - "rsa.misc.reference_id": "lupta", - "rsa.misc.reference_id1": "umf", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.4706", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "uta" - }, - { - "event.action": "accept", - "event.code": "tten", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "tDuis 2018-10-11 12:07:23.672538723 +0000 UTC iqu1643.www.host %CYBERARK: MessageID=\"96\";inim 1.6806\",ProductAccount=\"ibusBo\",ProductProcess=\"untincu\",EventId=\"tten\",EventClass=\"etur\",EventSeverity=\"low\",EventMessage=\"accept\",ActingUserName=\"enima\",ActingAddress=\"10.187.170.23\",ActionSourceUser=\"sequ\",ActionTargetUser=\"sectetu\",ActionObject=\"evi\",ActionSafe=\"tionula\",ActionLocation=\"accus\",ActionCategory=\"uatu\",ActionRequestId=\"mquis\",ActionReason=\"lab\",ActionExtraDetails=\"uido\"", - "file.directory": "accus", - "file.name": "evi", - "fileset.name": "corepas", - "host.ip": "10.187.170.23", - "input.type": "log", - "log.level": "low", - "log.offset": 33071, - "observer.product": "inim", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.6806", - "related.ip": [ - "10.187.170.23" - ], - "related.user": [ - "enima", - "ibusBo", - "sectetu" - ], - "rsa.db.index": "uido", - "rsa.internal.event_desc": "lab", - "rsa.internal.messageid": "96", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.category": "uatu", - "rsa.misc.group_object": "tionula", - "rsa.misc.reference_id": "tten", - "rsa.misc.reference_id1": "mquis", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.6806", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "enima" - }, - { - "destination.address": "udexerc2708.api.test", - "destination.port": 505, - "event.action": "allow", - "event.code": "61", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "2018-10-25 19:09:57.932538723 +0000 UTC nimadmin5577.corp %CYBERARK: MessageID=\"61\";Version=1.3824;Message=allow;Issuer=tinculpa;Station=10.123.62.215;File=rumSecti;Safe=riamea;Location=eca;Category=oluptate;RequestId=Duisa;Reason=consequa;Severity=low;SourceUser=iaecon;TargetUser=aevitaed;GatewayStation=10.250.248.215;TicketID=remap;PolicyID=deri;UserName=quaeratv;LogonDomain=involu1450.www.localhost;Address=udexerc2708.api.test;CPMStatus=odic;Port=505;Database=lica;DeviceType=secil;ExtraDetails=uisnos;", - "file.directory": "eca", - "file.name": "rumSecti", - "fileset.name": "corepas", - "group.name": "iaecon", - "host.ip": "10.123.62.215", - "input.type": "log", - "log.level": "low", - "log.offset": 33555, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.3824", - "related.hosts": [ - "involu1450.www.localhost", - "udexerc2708.api.test" - ], - "related.ip": [ - "10.123.62.215", - "10.250.248.215" - ], - "related.user": [ - "aevitaed", - "quaeratv", - "tinculpa" - ], - "rsa.db.database": "lica", - "rsa.db.index": "uisnos", - "rsa.internal.event_desc": "consequa", - "rsa.internal.messageid": "61", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.category": "oluptate", - "rsa.misc.disposition": "odic", - "rsa.misc.group": "iaecon", - "rsa.misc.group_object": "riamea", - "rsa.misc.obj_type": "secil", - "rsa.misc.operation_id": "remap", - "rsa.misc.policy_name": "deri", - "rsa.misc.reference_id": "61", - "rsa.misc.reference_id1": "Duisa", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.3824", - "rsa.network.domain": "involu1450.www.localhost", - "rsa.network.host_dst": "udexerc2708.api.test", - "server.domain": "involu1450.www.localhost", - "server.registered_domain": "www.localhost", - "server.subdomain": "involu1450", - "server.top_level_domain": "localhost", - "service.type": "cyberark", - "source.ip": [ - "10.250.248.215" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "tinculpa" - }, - { - "destination.address": "temvele5776.www.test", - "destination.port": 864, - "event.action": "block", - "event.code": "372", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "scipit 2018-11-09 02:12:32.192538723 +0000 UTC lloinve551.internal.local %CYBERARK: MessageID=\"372\";Version=1.3759;Message=block;Issuer=isiutali;Station=10.146.57.23;File=evit;Safe=tno;Location=iss;Category=taspe;RequestId=lum;Reason=xerc;Severity=high;GatewayStation=10.147.154.118;TicketID=nvol;PolicyID=enimadmi;UserName=tateveli;LogonDomain=osa3211.www5.example;Address=temvele5776.www.test;CPMStatus=inimve;Port=\"864\";Database=cin;DeviceType=tmo;ExtraDetails=onofdeF;", - "file.directory": "iss", - "file.name": "evit", - "fileset.name": "corepas", - "host.ip": "10.146.57.23", - "input.type": "log", - "log.level": "high", - "log.offset": 34065, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.3759", - "related.hosts": [ - "osa3211.www5.example", - "temvele5776.www.test" - ], - "related.ip": [ - "10.146.57.23", - "10.147.154.118" - ], - "related.user": [ - "isiutali", - "tateveli" - ], - "rsa.db.database": "cin", - "rsa.db.index": "onofdeF", - "rsa.internal.event_desc": "xerc", - "rsa.internal.messageid": "372", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.category": "taspe", - "rsa.misc.disposition": "inimve", - "rsa.misc.group_object": "tno", - "rsa.misc.obj_type": "tmo", - "rsa.misc.operation_id": "nvol", - "rsa.misc.policy_name": "enimadmi", - "rsa.misc.reference_id": "372", - "rsa.misc.reference_id1": "lum", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.3759", - "rsa.network.domain": "osa3211.www5.example", - "rsa.network.host_dst": "temvele5776.www.test", - "server.domain": "osa3211.www5.example", - "server.registered_domain": "www5.example", - "server.subdomain": "osa3211", - "server.top_level_domain": "example", - "service.type": "cyberark", - "source.ip": [ - "10.147.154.118" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "isiutali" - }, - { - "event.action": "cancel", - "event.code": "tlabo", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "its 2018-11-23 09:15:06.452538723 +0000 UTC uptasnul2751.www5.corp %CYBERARK: MessageID=\"232\";ostrudex 1.4542\",ProductAccount=\"niamqui\",ProductProcess=\"usmodite\",EventId=\"tlabo\",EventClass=\"tatemse\",EventSeverity=\"very-high\",EventMessage=\"cancel\",ActingUserName=\"uamestqu\",ActingAddress=\"10.193.33.201\",ActionSourceUser=\"hender\",ActionTargetUser=\"ptatemU\",ActionObject=\"seq\",ActionSafe=\"rumSe\",ActionLocation=\"tatnonp\",ActionCategory=\"ommo\",ActionRequestId=\"adeser\",ActionReason=\"uasiarc\",ActionExtraDetails=\"doeiu\"", - "file.directory": "tatnonp", - "file.name": "seq", - "fileset.name": "corepas", - "host.ip": "10.193.33.201", - "input.type": "log", - "log.level": "very-high", - "log.offset": 34538, - "observer.product": "ostrudex", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.4542", - "related.ip": [ - "10.193.33.201" - ], - "related.user": [ - "niamqui", - "ptatemU", - "uamestqu" - ], - "rsa.db.index": "doeiu", - "rsa.internal.event_desc": "uasiarc", - "rsa.internal.messageid": "232", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "ommo", - "rsa.misc.group_object": "rumSe", - "rsa.misc.reference_id": "tlabo", - "rsa.misc.reference_id1": "adeser", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.4542", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "uamestqu" - }, - { - "event.action": "block", - "event.code": "iuntN", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "2018-12-07 16:17:40.712538723 +0000 UTC atuserro6791.internal.host %CYBERARK: MessageID=\"24\";upta 1.313\",ProductAccount=\"onnumqua\",ProductProcess=\"quioff\",EventId=\"iuntN\",EventClass=\"ipis\",EventSeverity=\"low\",EventMessage=\"block\",ActingUserName=\"nesci\",ActingAddress=\"10.154.172.82\",ActionSourceUser=\"lorsi\",ActionTargetUser=\"tetura\",ActionObject=\"eeufug\",ActionSafe=\"edutper\",ActionLocation=\"tevelite\",ActionCategory=\"tocca\",ActionRequestId=\"orsitvol\",ActionReason=\"ntor\",ActionExtraDetails=\"oinBCSed\"", - "file.directory": "tevelite", - "file.name": "eeufug", - "fileset.name": "corepas", - "host.ip": "10.154.172.82", - "input.type": "log", - "log.level": "low", - "log.offset": 35054, - "observer.product": "upta", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.313", - "related.ip": [ - "10.154.172.82" - ], - "related.user": [ - "nesci", - "onnumqua", - "tetura" - ], - "rsa.db.index": "oinBCSed", - "rsa.internal.event_desc": "ntor", - "rsa.internal.messageid": "24", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.category": "tocca", - "rsa.misc.group_object": "edutper", - "rsa.misc.reference_id": "iuntN", - "rsa.misc.reference_id1": "orsitvol", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.313", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "nesci" - }, - { - "event.action": "allow", - "event.code": "avolu", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "%CYBERARK: MessageID=\"79\";obeatae 1.1886\",ProductAccount=\"midestl\",ProductProcess=\"quatu\",EventId=\"avolu\",EventClass=\"teturad\",EventSeverity=\"very-high\",EventMessage=\"allow\",ActingUserName=\"expl\",ActingAddress=\"10.47.63.70\",ActionSourceUser=\"lup\",ActionTargetUser=\"tpers\",ActionObject=\"orsitv\",ActionSafe=\"temseq\",ActionLocation=\"uisaute\",ActionCategory=\"uun\",ActionRequestId=\"end\",ActionReason=\"odocons\",ActionExtraDetails=\"olu\"", - "file.directory": "uisaute", - "file.name": "orsitv", - "fileset.name": "corepas", - "host.ip": "10.47.63.70", - "input.type": "log", - "log.level": "very-high", - "log.offset": 35557, - "observer.product": "obeatae", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.1886", - "related.ip": [ - "10.47.63.70" - ], - "related.user": [ - "expl", - "midestl", - "tpers" - ], - "rsa.db.index": "olu", - "rsa.internal.event_desc": "odocons", - "rsa.internal.messageid": "79", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.category": "uun", - "rsa.misc.group_object": "temseq", - "rsa.misc.reference_id": "avolu", - "rsa.misc.reference_id1": "end", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.1886", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "expl" - }, - { - "event.action": "block", - "event.code": "ectobea", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "January 5 06:22:49 amn %CYBERARK: MessageID=\"312\";itessequ 1.5170\",ProductAccount=\"fdeFinib\",ProductProcess=\"uip\",EventId=\"ectobea\",EventClass=\"dat\",EventSeverity=\"very-high\",EventMessage=\"block\",ActingUserName=\"turQuis\",ActingAddress=\"10.178.160.245\",ActionSourceUser=\"deomnisi\",ActionTargetUser=\"olupta\",ActionObject=\"oll\",ActionSafe=\"laboree\",ActionLocation=\"udantiu\",ActionCategory=\"itametco\",ActionRequestId=\"iav\",ActionReason=\"odico\",ActionExtraDetails=\"rsint\"", - "file.directory": "udantiu", - "file.name": "oll", - "fileset.name": "corepas", - "host.ip": "10.178.160.245", - "input.type": "log", - "log.level": "very-high", - "log.offset": 35987, - "observer.product": "itessequ", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.5170", - "related.ip": [ - "10.178.160.245" - ], - "related.user": [ - "fdeFinib", - "olupta", - "turQuis" - ], - "rsa.db.index": "rsint", - "rsa.internal.event_desc": "odico", - "rsa.internal.messageid": "312", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.category": "itametco", - "rsa.misc.group_object": "laboree", - "rsa.misc.reference_id": "ectobea", - "rsa.misc.reference_id1": "iav", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.5170", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "turQuis" - }, - { - "destination.address": "teursint1321.www5.example", - "destination.port": 7024, - "event.action": "block", - "event.code": "77", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "January 19 13:25:23 quiav %CYBERARK: MessageID=\"77\";Version=1.6648;Message=block;Issuer=Nem;Station=10.85.13.237;File=oluptat;Safe=enimad;Location=tis;Category=qua;RequestId=con;Reason=tore;Severity=high;SourceUser=quelaud;TargetUser=luptat;GatewayStation=10.89.154.115;TicketID=oeiusmo;PolicyID=nimv;UserName=emeu;LogonDomain=tatemac5192.www5.test;Address=teursint1321.www5.example;CPMStatus=lamcolab;Port=7024;Database=nturmag;DeviceType=uredol;ExtraDetails=maliqua;", - "file.directory": "tis", - "file.name": "oluptat", - "fileset.name": "corepas", - "group.name": "quelaud", - "host.ip": "10.85.13.237", - "input.type": "log", - "log.level": "high", - "log.offset": 36454, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.6648", - "related.hosts": [ - "tatemac5192.www5.test", - "teursint1321.www5.example" - ], - "related.ip": [ - "10.85.13.237", - "10.89.154.115" - ], - "related.user": [ - "Nem", - "emeu", - "luptat" - ], - "rsa.db.database": "nturmag", - "rsa.db.index": "maliqua", - "rsa.internal.event_desc": "tore", - "rsa.internal.messageid": "77", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.category": "qua", - "rsa.misc.disposition": "lamcolab", - "rsa.misc.group": "quelaud", - "rsa.misc.group_object": "enimad", - "rsa.misc.obj_type": "uredol", - "rsa.misc.operation_id": "oeiusmo", - "rsa.misc.policy_name": "nimv", - "rsa.misc.reference_id": "77", - "rsa.misc.reference_id1": "con", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.6648", - "rsa.network.domain": "tatemac5192.www5.test", - "rsa.network.host_dst": "teursint1321.www5.example", - "server.domain": "tatemac5192.www5.test", - "server.registered_domain": "www5.test", - "server.subdomain": "tatemac5192", - "server.top_level_domain": "test", - "service.type": "cyberark", - "source.ip": [ - "10.89.154.115" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "Nem" - }, - { - "destination.address": "boreet2051.internal.localdomain", - "destination.port": 1644, - "event.action": "allow", - "event.code": "308", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "2019-02-02 20:27:57.752538723 +0000 UTC omnisi5530.mail.example %CYBERARK: MessageID=\"308\";Version=1.3387;Message=allow;Issuer=itame;Station=10.222.32.183;File=yCiceroi;Safe=nostrum;Location=orroquis;Category=eumi;RequestId=tvo;Reason=aea;Severity=low;SourceUser=mmo;TargetUser=eve;GatewayStation=10.65.207.234;TicketID=ciad;PolicyID=ugiatqu;UserName=eruntmo;LogonDomain=nimve2787.mail.test;Address=boreet2051.internal.localdomain;CPMStatus=iavo;Port=1644;Database=udexerc;DeviceType=ovolupta;ExtraDetails=volup;", - "file.directory": "orroquis", - "file.name": "yCiceroi", - "fileset.name": "corepas", - "group.name": "mmo", - "host.ip": "10.222.32.183", - "input.type": "log", - "log.level": "low", - "log.offset": 36923, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.3387", - "related.hosts": [ - "boreet2051.internal.localdomain", - "nimve2787.mail.test" - ], - "related.ip": [ - "10.222.32.183", - "10.65.207.234" - ], - "related.user": [ - "eruntmo", - "eve", - "itame" - ], - "rsa.db.database": "udexerc", - "rsa.db.index": "volup", - "rsa.internal.event_desc": "aea", - "rsa.internal.messageid": "308", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.category": "eumi", - "rsa.misc.disposition": "iavo", - "rsa.misc.group": "mmo", - "rsa.misc.group_object": "nostrum", - "rsa.misc.obj_type": "ovolupta", - "rsa.misc.operation_id": "ciad", - "rsa.misc.policy_name": "ugiatqu", - "rsa.misc.reference_id": "308", - "rsa.misc.reference_id1": "tvo", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.3387", - "rsa.network.domain": "nimve2787.mail.test", - "rsa.network.host_dst": "boreet2051.internal.localdomain", - "server.domain": "nimve2787.mail.test", - "server.registered_domain": "mail.test", - "server.subdomain": "nimve2787", - "server.top_level_domain": "test", - "service.type": "cyberark", - "source.ip": [ - "10.65.207.234" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "itame" - }, - { - "event.action": "cancel", - "event.code": "edqu", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "rro 2019-02-17 03:30:32.012538723 +0000 UTC tuser6944.local %CYBERARK: MessageID=\"54\";iarchite 1.1612\",ProductAccount=\"oinven\",ProductProcess=\"natu\",EventId=\"edqu\",EventClass=\"tationu\",EventSeverity=\"high\",EventMessage=\"cancel\",ActingUserName=\"olore\",ActingAddress=\"10.16.181.60\",ActionSourceUser=\"ameaquei\",ActionTargetUser=\"gnama\",ActionObject=\"esciun\",ActionSafe=\"tesse\",ActionLocation=\"olupta\",ActionCategory=\"isno\",ActionRequestId=\"oluptas\",ActionReason=\"nderiti\",ActionExtraDetails=\"uatu\"", - "file.directory": "olupta", - "file.name": "esciun", - "fileset.name": "corepas", - "host.ip": "10.16.181.60", - "input.type": "log", - "log.level": "high", - "log.offset": 37436, - "observer.product": "iarchite", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.1612", - "related.ip": [ - "10.16.181.60" - ], - "related.user": [ - "gnama", - "oinven", - "olore" - ], - "rsa.db.index": "uatu", - "rsa.internal.event_desc": "nderiti", - "rsa.internal.messageid": "54", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "isno", - "rsa.misc.group_object": "tesse", - "rsa.misc.reference_id": "edqu", - "rsa.misc.reference_id1": "oluptas", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.1612", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "olore" - }, - { - "event.action": "deny", - "event.code": "onse", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "orem 2019-03-03 10:33:06.272538723 +0000 UTC giatqu1484.internal.corp %CYBERARK: MessageID=\"208\";oreseosq 1.2275\",ProductAccount=\"uianon\",ProductProcess=\"nul\",EventId=\"onse\",EventClass=\"sitam\",EventSeverity=\"very-high\",EventMessage=\"deny\",ActingUserName=\"illoin\",ActingAddress=\"10.91.213.82\",ActionSourceUser=\"uid\",ActionTargetUser=\"amnis\",ActionObject=\"rvelil\",ActionSafe=\"adese\",ActionLocation=\"olorsi\",ActionCategory=\"caboNemo\",ActionRequestId=\"uptas\",ActionReason=\"temaccus\",ActionExtraDetails=\"ons\"", - "file.directory": "olorsi", - "file.name": "rvelil", - "fileset.name": "corepas", - "host.ip": "10.91.213.82", - "input.type": "log", - "log.level": "very-high", - "log.offset": 37931, - "observer.product": "oreseosq", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.2275", - "related.ip": [ - "10.91.213.82" - ], - "related.user": [ - "amnis", - "illoin", - "uianon" - ], - "rsa.db.index": "ons", - "rsa.internal.event_desc": "temaccus", - "rsa.internal.messageid": "208", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.category": "caboNemo", - "rsa.misc.group_object": "adese", - "rsa.misc.reference_id": "onse", - "rsa.misc.reference_id1": "uptas", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.2275", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "illoin" - }, - { - "event.action": "allow", - "event.code": "iaeconse", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "2019-03-17 17:35:40.532538723 +0000 UTC oreeu3666.invalid %CYBERARK: MessageID=\"48\";tis 1.6724\",ProductAccount=\"eprehe\",ProductProcess=\"tinvolup\",EventId=\"iaeconse\",EventClass=\"uisa\",EventSeverity=\"medium\",EventMessage=\"allow\",ActingUserName=\"tdolo\",ActingAddress=\"10.204.214.98\",ActionSourceUser=\"iumt\",ActionTargetUser=\"porissus\",ActionObject=\"imip\",ActionSafe=\"tsunt\",ActionLocation=\"rnat\",ActionCategory=\"oremi\",ActionRequestId=\"ectobeat\",ActionReason=\"ecte\",ActionExtraDetails=\"abo\"", - "file.directory": "rnat", - "file.name": "imip", - "fileset.name": "corepas", - "host.ip": "10.204.214.98", - "input.type": "log", - "log.level": "medium", - "log.offset": 38435, - "observer.product": "tis", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.6724", - "related.ip": [ - "10.204.214.98" - ], - "related.user": [ - "eprehe", - "porissus", - "tdolo" - ], - "rsa.db.index": "abo", - "rsa.internal.event_desc": "ecte", - "rsa.internal.messageid": "48", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.category": "oremi", - "rsa.misc.group_object": "tsunt", - "rsa.misc.reference_id": "iaeconse", - "rsa.misc.reference_id1": "ectobeat", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.6724", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "tdolo" - }, - { - "event.action": "accept", - "event.code": "tium", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "%CYBERARK: MessageID=\"219\";snos 1.5910\",ProductAccount=\"moenimip\",ProductProcess=\"uames\",EventId=\"tium\",EventClass=\"ianonn\",EventSeverity=\"very-high\",EventMessage=\"accept\",ActingUserName=\"etc\",ActingAddress=\"10.223.178.192\",ActionSourceUser=\"atquovol\",ActionTargetUser=\"evel\",ActionObject=\"edol\",ActionSafe=\"sequuntu\",ActionLocation=\"quameius\",ActionCategory=\"litse\",ActionRequestId=\"san\",ActionReason=\"apari\",ActionExtraDetails=\"iarchit\"", - "file.directory": "quameius", - "file.name": "edol", - "fileset.name": "corepas", - "host.ip": "10.223.178.192", - "input.type": "log", - "log.level": "very-high", - "log.offset": 38923, - "observer.product": "snos", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.5910", - "related.ip": [ - "10.223.178.192" - ], - "related.user": [ - "etc", - "evel", - "moenimip" - ], - "rsa.db.index": "iarchit", - "rsa.internal.event_desc": "apari", - "rsa.internal.messageid": "219", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.category": "litse", - "rsa.misc.group_object": "sequuntu", - "rsa.misc.reference_id": "tium", - "rsa.misc.reference_id1": "san", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.5910", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "etc" - }, - { - "destination.address": "umto3015.mail.lan", - "destination.port": 4667, - "event.action": "cancel", - "event.code": "183", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "2019-04-15 07:40:49.052538723 +0000 UTC nsequat6724.www.invalid %CYBERARK: MessageID=\"183\";Version=1.801;Message=cancel;Issuer=ati;Station=10.26.137.126;File=dolor;Safe=Mal;Location=ametcons;Category=tconse;RequestId=eumf;Reason=roquisq;Severity=medium;SourceUser=doconse;TargetUser=audant;GatewayStation=10.26.33.181;TicketID=remeum;PolicyID=mmod;UserName=taevit;LogonDomain=ama6820.mail.example;Address=umto3015.mail.lan;CPMStatus=sitv;Port=4667;Database=com;DeviceType=rep;ExtraDetails=mveni;", - "file.directory": "ametcons", - "file.name": "dolor", - "fileset.name": "corepas", - "group.name": "doconse", - "host.ip": "10.26.137.126", - "input.type": "log", - "log.level": "medium", - "log.offset": 39362, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.801", - "related.hosts": [ - "ama6820.mail.example", - "umto3015.mail.lan" - ], - "related.ip": [ - "10.26.137.126", - "10.26.33.181" - ], - "related.user": [ - "ati", - "audant", - "taevit" - ], - "rsa.db.database": "com", - "rsa.db.index": "mveni", - "rsa.internal.event_desc": "roquisq", - "rsa.internal.messageid": "183", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "tconse", - "rsa.misc.disposition": "sitv", - "rsa.misc.group": "doconse", - "rsa.misc.group_object": "Mal", - "rsa.misc.obj_type": "rep", - "rsa.misc.operation_id": "remeum", - "rsa.misc.policy_name": "mmod", - "rsa.misc.reference_id": "183", - "rsa.misc.reference_id1": "eumf", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.801", - "rsa.network.domain": "ama6820.mail.example", - "rsa.network.host_dst": "umto3015.mail.lan", - "server.domain": "ama6820.mail.example", - "server.registered_domain": "mail.example", - "server.subdomain": "ama6820", - "server.top_level_domain": "example", - "service.type": "cyberark", - "source.ip": [ - "10.26.33.181" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "ati" - }, - { - "destination.address": "etquasia1800.www.host", - "destination.port": 7612, - "event.action": "accept", - "event.code": "41", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "April 29 14:43:23 num %CYBERARK: MessageID=\"41\";Version=1.10;Message=accept;Issuer=quaerat;Station=10.148.195.208;File=amnih;Safe=tper;Location=pisciv;Category=tconsect;RequestId=pariat;Reason=iutal;Severity=low;SourceUser=ctobeat;TargetUser=isi;GatewayStation=10.142.161.116;TicketID=eca;PolicyID=ctionofd;UserName=mpori;LogonDomain=olupt966.www5.corp;Address=etquasia1800.www.host;CPMStatus=nimip;Port=7612;Database=squamest;DeviceType=quisn;ExtraDetails=pteu;", - "file.directory": "pisciv", - "file.name": "amnih", - "fileset.name": "corepas", - "group.name": "ctobeat", - "host.ip": "10.148.195.208", - "input.type": "log", - "log.level": "low", - "log.offset": 39858, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.10", - "related.hosts": [ - "etquasia1800.www.host", - "olupt966.www5.corp" - ], - "related.ip": [ - "10.142.161.116", - "10.148.195.208" - ], - "related.user": [ - "isi", - "mpori", - "quaerat" - ], - "rsa.db.database": "squamest", - "rsa.db.index": "pteu", - "rsa.internal.event_desc": "iutal", - "rsa.internal.messageid": "41", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.category": "tconsect", - "rsa.misc.disposition": "nimip", - "rsa.misc.group": "ctobeat", - "rsa.misc.group_object": "tper", - "rsa.misc.obj_type": "quisn", - "rsa.misc.operation_id": "eca", - "rsa.misc.policy_name": "ctionofd", - "rsa.misc.reference_id": "41", - "rsa.misc.reference_id1": "pariat", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.10", - "rsa.network.domain": "olupt966.www5.corp", - "rsa.network.host_dst": "etquasia1800.www.host", - "server.domain": "olupt966.www5.corp", - "server.registered_domain": "www5.corp", - "server.subdomain": "olupt966", - "server.top_level_domain": "corp", - "service.type": "cyberark", - "source.ip": [ - "10.142.161.116" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "quaerat" - }, - { - "destination.address": "quisquam2153.mail.host", - "destination.port": 2717, - "event.action": "block", - "event.code": "270", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "velillum 2019-05-13 21:45:57.572538723 +0000 UTC ntNequ7639.internal.localdomain %CYBERARK: MessageID=\"270\";Version=1.1026;Message=block;Issuer=itinvo;Station=10.107.24.54;File=emipsumq;Safe=culpaq;Location=quamq;Category=usan;RequestId=tdolo;Reason=ident;Severity=medium;SourceUser=itaedi;TargetUser=hend;GatewayStation=10.10.174.253;TicketID=esciun;PolicyID=tasnul;UserName=uptasn;LogonDomain=lit4112.www.localhost;Address=quisquam2153.mail.host;CPMStatus=dit;Port=2717;Database=lup;DeviceType=aeca;ExtraDetails=isau;", - "file.directory": "quamq", - "file.name": "emipsumq", - "fileset.name": "corepas", - "group.name": "itaedi", - "host.ip": "10.107.24.54", - "input.type": "log", - "log.level": "medium", - "log.offset": 40321, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.1026", - "related.hosts": [ - "lit4112.www.localhost", - "quisquam2153.mail.host" - ], - "related.ip": [ - "10.10.174.253", - "10.107.24.54" - ], - "related.user": [ - "hend", - "itinvo", - "uptasn" - ], - "rsa.db.database": "lup", - "rsa.db.index": "isau", - "rsa.internal.event_desc": "ident", - "rsa.internal.messageid": "270", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.category": "usan", - "rsa.misc.disposition": "dit", - "rsa.misc.group": "itaedi", - "rsa.misc.group_object": "culpaq", - "rsa.misc.obj_type": "aeca", - "rsa.misc.operation_id": "esciun", - "rsa.misc.policy_name": "tasnul", - "rsa.misc.reference_id": "270", - "rsa.misc.reference_id1": "tdolo", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.1026", - "rsa.network.domain": "lit4112.www.localhost", - "rsa.network.host_dst": "quisquam2153.mail.host", - "server.domain": "lit4112.www.localhost", - "server.registered_domain": "www.localhost", - "server.subdomain": "lit4112", - "server.top_level_domain": "localhost", - "service.type": "cyberark", - "source.ip": [ - "10.10.174.253" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "itinvo" - }, - { - "event.action": "deny", - "event.code": "iades", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "May 28 04:48:31 boreetd %CYBERARK: MessageID=\"309\";tNe 1.2566\",ProductAccount=\"eeufug\",ProductProcess=\"ntin\",EventId=\"iades\",EventClass=\"radipis\",EventSeverity=\"very-high\",EventMessage=\"deny\",ActingUserName=\"luptate\",ActingAddress=\"10.87.92.17\",ActionSourceUser=\"utlabore\",ActionTargetUser=\"tamr\",ActionObject=\"serr\",ActionSafe=\"usci\",ActionLocation=\"unturmag\",ActionCategory=\"dexeaco\",ActionRequestId=\"lupta\",ActionReason=\"ura\",ActionExtraDetails=\"oreeufug\"", - "event.outcome": "failure", - "file.directory": "unturmag", - "file.name": "serr", - "fileset.name": "corepas", - "host.ip": "10.87.92.17", - "input.type": "log", - "log.level": "very-high", - "log.offset": 40841, - "observer.product": "tNe", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.2566", - "related.ip": [ - "10.87.92.17" - ], - "related.user": [ - "eeufug", - "luptate", - "tamr" - ], - "rsa.db.index": "oreeufug", - "rsa.internal.event_desc": "ura", - "rsa.internal.messageid": "309", - "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.category": "dexeaco", - "rsa.misc.group_object": "usci", - "rsa.misc.reference_id": "iades", - "rsa.misc.reference_id1": "lupta", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.2566", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "luptate" - }, - { - "destination.address": "secte1774.localhost", - "destination.port": 5200, - "event.action": "deny", - "event.code": "295", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "June 11 11:51:06 dolo %CYBERARK: MessageID=\"295\";Version=1.5649;Message=deny;Issuer=Finibus;Station=10.161.51.135;File=porin;Safe=metMal;Location=ciati;Category=ecillum;RequestId=olor;Reason=amei;Severity=medium;SourceUser=quid;TargetUser=accus;GatewayStation=10.231.51.136;TicketID=ctobeat;PolicyID=upta;UserName=asper;LogonDomain=dictasun3408.internal.invalid;Address=secte1774.localhost;CPMStatus=iqui;Port=5200;Database=litani;DeviceType=emp;ExtraDetails=arch;", - "file.directory": "ciati", - "file.name": "porin", - "fileset.name": "corepas", - "group.name": "quid", - "host.ip": "10.161.51.135", - "input.type": "log", - "log.level": "medium", - "log.offset": 41300, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.5649", - "related.hosts": [ - "dictasun3408.internal.invalid", - "secte1774.localhost" - ], - "related.ip": [ - "10.161.51.135", - "10.231.51.136" - ], - "related.user": [ - "Finibus", - "accus", - "asper" - ], - "rsa.db.database": "litani", - "rsa.db.index": "arch", - "rsa.internal.event_desc": "amei", - "rsa.internal.messageid": "295", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.category": "ecillum", - "rsa.misc.disposition": "iqui", - "rsa.misc.group": "quid", - "rsa.misc.group_object": "metMal", - "rsa.misc.obj_type": "emp", - "rsa.misc.operation_id": "ctobeat", - "rsa.misc.policy_name": "upta", - "rsa.misc.reference_id": "295", - "rsa.misc.reference_id1": "olor", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.5649", - "rsa.network.domain": "dictasun3408.internal.invalid", - "rsa.network.host_dst": "secte1774.localhost", - "server.domain": "dictasun3408.internal.invalid", - "server.registered_domain": "internal.invalid", - "server.subdomain": "dictasun3408", - "server.top_level_domain": "invalid", - "service.type": "cyberark", - "source.ip": [ - "10.231.51.136" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "Finibus" - }, - { - "event.action": "allow", - "event.code": "cia", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "June 25 18:53:40 dipisciv %CYBERARK: MessageID=\"148\";uam 1.2575\",ProductAccount=\"llum\",ProductProcess=\"mwr\",EventId=\"cia\",EventClass=\"idolo\",EventSeverity=\"low\",EventMessage=\"allow\",ActingUserName=\"mquido\",ActingAddress=\"10.51.17.32\",ActionSourceUser=\"ree\",ActionTargetUser=\"itten\",ActionObject=\"quipexea\",ActionSafe=\"orsitv\",ActionLocation=\"dunt\",ActionCategory=\"int\",ActionRequestId=\"ionevo\",ActionReason=\"llitani\",ActionExtraDetails=\"uscipit\"", - "file.directory": "dunt", - "file.name": "quipexea", - "fileset.name": "corepas", - "host.ip": "10.51.17.32", - "input.type": "log", - "log.level": "low", - "log.offset": 41765, - "observer.product": "uam", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.2575", - "related.ip": [ - "10.51.17.32" - ], - "related.user": [ - "itten", - "llum", - "mquido" - ], - "rsa.db.index": "uscipit", - "rsa.internal.event_desc": "llitani", - "rsa.internal.messageid": "148", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.category": "int", - "rsa.misc.group_object": "orsitv", - "rsa.misc.reference_id": "cia", - "rsa.misc.reference_id1": "ionevo", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.2575", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "mquido" - }, - { - "event.action": "deny", - "event.code": "mquisno", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "etco 2019-07-10 01:56:14.612538723 +0000 UTC iuntN4077.www.invalid %CYBERARK: MessageID=\"260\";isnostru 1.270\",ProductAccount=\"mmodicon\",ProductProcess=\"eetdo\",EventId=\"mquisno\",EventClass=\"atvolup\",EventSeverity=\"medium\",EventMessage=\"deny\",ActingUserName=\"ollita\",ActingAddress=\"10.108.123.148\",ActionSourceUser=\"cto\",ActionTargetUser=\"cusa\",ActionObject=\"nderi\",ActionSafe=\"tem\",ActionLocation=\"tcu\",ActionCategory=\"eumiu\",ActionRequestId=\"nim\",ActionReason=\"pteurs\",ActionExtraDetails=\"ercitati\"", - "file.directory": "tcu", - "file.name": "nderi", - "fileset.name": "corepas", - "host.ip": "10.108.123.148", - "input.type": "log", - "log.level": "medium", - "log.offset": 42211, - "observer.product": "isnostru", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.270", - "related.ip": [ - "10.108.123.148" - ], - "related.user": [ - "cusa", - "mmodicon", - "ollita" - ], - "rsa.db.index": "ercitati", - "rsa.internal.event_desc": "pteurs", - "rsa.internal.messageid": "260", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.category": "eumiu", - "rsa.misc.group_object": "tem", - "rsa.misc.reference_id": "mquisno", - "rsa.misc.reference_id1": "nim", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.270", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "ollita" - }, - { - "destination.address": "uido2773.www5.test", - "destination.port": 3820, - "event.action": "accept", - "event.code": "8", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "July 24 08:58:48 eturadip %CYBERARK: MessageID=\"8\";Version=1.425;Message=accept;Issuer=rsitamet;Station=10.114.0.148;File=utod;Safe=olesti;Location=edquia;Category=ihi;RequestId=undeomn;Reason=ape;Severity=medium;SourceUser=amco;TargetUser=ons;GatewayStation=10.198.187.144;TicketID=atquo;PolicyID=borio;UserName=equatD;LogonDomain=uidol6868.mail.localdomain;Address=uido2773.www5.test;CPMStatus=acons;Port=3820;Database=periam;DeviceType=ain;ExtraDetails=umiurer;", - "event.outcome": "success", - "file.directory": "edquia", - "file.name": "utod", - "fileset.name": "corepas", - "group.name": "amco", - "host.ip": "10.114.0.148", - "input.type": "log", - "log.level": "medium", - "log.offset": 42710, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.425", - "related.hosts": [ - "uido2773.www5.test", - "uidol6868.mail.localdomain" - ], - "related.ip": [ - "10.114.0.148", - "10.198.187.144" - ], - "related.user": [ - "equatD", - "ons", - "rsitamet" - ], - "rsa.db.database": "periam", - "rsa.db.index": "umiurer", - "rsa.internal.event_desc": "ape", - "rsa.internal.messageid": "8", - "rsa.investigations.ec_activity": "Logoff", - "rsa.investigations.ec_outcome": "Success", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.category": "ihi", - "rsa.misc.disposition": "acons", - "rsa.misc.group": "amco", - "rsa.misc.group_object": "olesti", - "rsa.misc.obj_type": "ain", - "rsa.misc.operation_id": "atquo", - "rsa.misc.policy_name": "borio", - "rsa.misc.reference_id": "8", - "rsa.misc.reference_id1": "undeomn", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.425", - "rsa.network.domain": "uidol6868.mail.localdomain", - "rsa.network.host_dst": "uido2773.www5.test", - "server.domain": "uidol6868.mail.localdomain", - "server.registered_domain": "mail.localdomain", - "server.subdomain": "uidol6868", - "server.top_level_domain": "localdomain", - "service.type": "cyberark", - "source.ip": [ - "10.198.187.144" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "rsitamet" - }, - { - "event.action": "allow", - "event.code": "litess", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "onorume 2019-08-07 16:01:23.132538723 +0000 UTC abill5290.lan %CYBERARK: MessageID=\"89\";mini 1.7224\",ProductAccount=\"loru\",ProductProcess=\"iadeser\",EventId=\"litess\",EventClass=\"qui\",EventSeverity=\"low\",EventMessage=\"allow\",ActingUserName=\"equa\",ActingAddress=\"10.61.140.120\",ActionSourceUser=\"olorsit\",ActionTargetUser=\"naaliq\",ActionObject=\"plica\",ActionSafe=\"asiarc\",ActionLocation=\"lor\",ActionCategory=\"nvolupt\",ActionRequestId=\"dquia\",ActionReason=\"ora\",ActionExtraDetails=\"umfugiat\"", - "file.directory": "lor", - "file.name": "plica", - "fileset.name": "corepas", - "host.ip": "10.61.140.120", - "input.type": "log", - "log.level": "low", - "log.offset": 43175, - "observer.product": "mini", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.7224", - "related.ip": [ - "10.61.140.120" - ], - "related.user": [ - "equa", - "loru", - "naaliq" - ], - "rsa.db.index": "umfugiat", - "rsa.internal.event_desc": "ora", - "rsa.internal.messageid": "89", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.category": "nvolupt", - "rsa.misc.group_object": "asiarc", - "rsa.misc.reference_id": "litess", - "rsa.misc.reference_id1": "dquia", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.7224", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "equa" - }, - { - "destination.address": "quame1852.www.test", - "destination.port": 4512, - "event.action": "deny", - "event.code": "36", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "%CYBERARK: MessageID=\"36\";Version=1.6988;Message=deny;Issuer=ite;Station=10.93.24.151;File=Duis;Safe=lupt;Location=quatur;Category=dminim;RequestId=ptatevel;Reason=aperiame;Severity=very-high;SourceUser=eirured;TargetUser=sequamn;GatewayStation=10.149.238.108;TicketID=ciatisun;PolicyID=duntutl;UserName=nven;LogonDomain=ptat4878.lan;Address=quame1852.www.test;CPMStatus=deomni;Port=4512;Database=fugi;DeviceType=nse;ExtraDetails=nesciu;", - "file.directory": "quatur", - "file.name": "Duis", - "fileset.name": "corepas", - "group.name": "eirured", - "host.ip": "10.93.24.151", - "input.type": "log", - "log.level": "very-high", - "log.offset": 43663, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.6988", - "related.hosts": [ - "ptat4878.lan", - "quame1852.www.test" - ], - "related.ip": [ - "10.149.238.108", - "10.93.24.151" - ], - "related.user": [ - "ite", - "nven", - "sequamn" - ], - "rsa.db.database": "fugi", - "rsa.db.index": "nesciu", - "rsa.internal.event_desc": "aperiame", - "rsa.internal.messageid": "36", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.category": "dminim", - "rsa.misc.disposition": "deomni", - "rsa.misc.group": "eirured", - "rsa.misc.group_object": "lupt", - "rsa.misc.obj_type": "nse", - "rsa.misc.operation_id": "ciatisun", - "rsa.misc.policy_name": "duntutl", - "rsa.misc.reference_id": "36", - "rsa.misc.reference_id1": "ptatevel", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.6988", - "rsa.network.domain": "ptat4878.lan", - "rsa.network.host_dst": "quame1852.www.test", - "server.domain": "ptat4878.lan", - "server.registered_domain": "ptat4878.lan", - "server.top_level_domain": "lan", - "service.type": "cyberark", - "source.ip": [ - "10.149.238.108" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "ite" - }, - { - "event.action": "accept", - "event.code": "vel", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "September 5 06:06:31 inrepreh %CYBERARK: MessageID=\"39\";rit 1.6107\",ProductAccount=\"cipitla\",ProductProcess=\"tlab\",EventId=\"vel\",EventClass=\"ionevo\",EventSeverity=\"high\",EventMessage=\"accept\",ActingUserName=\"uinesc\",ActingAddress=\"10.101.45.225\",ActionSourceUser=\"utla\",ActionTargetUser=\"emi\",ActionObject=\"uaerat\",ActionSafe=\"iduntu\",ActionLocation=\"samvol\",ActionCategory=\"equa\",ActionRequestId=\"apari\",ActionReason=\"tsunt\",ActionExtraDetails=\"caecat\"", - "file.directory": "samvol", - "file.name": "uaerat", - "fileset.name": "corepas", - "host.ip": "10.101.45.225", - "input.type": "log", - "log.level": "high", - "log.offset": 44101, - "observer.product": "rit", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.6107", - "related.ip": [ - "10.101.45.225" - ], - "related.user": [ - "cipitla", - "emi", - "uinesc" - ], - "rsa.db.index": "caecat", - "rsa.internal.event_desc": "tsunt", - "rsa.internal.messageid": "39", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.category": "equa", - "rsa.misc.group_object": "iduntu", - "rsa.misc.reference_id": "vel", - "rsa.misc.reference_id1": "apari", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.6107", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "uinesc" - }, - { - "event.action": "cancel", - "event.code": "texplica", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "qui 2019-09-19 13:09:05.912538723 +0000 UTC caboN3124.mail.home %CYBERARK: MessageID=\"8\";catcupid 1.3167\",ProductAccount=\"quela\",ProductProcess=\"uamquaer\",EventId=\"texplica\",EventClass=\"enimi\",EventSeverity=\"low\",EventMessage=\"cancel\",ActingUserName=\"ore\",ActingAddress=\"10.2.204.161\",ActionSourceUser=\"iquamqu\",ActionTargetUser=\"eumfugia\",ActionObject=\"reeufugi\",ActionSafe=\"sequines\",ActionLocation=\"minimve\",ActionCategory=\"texplica\",ActionRequestId=\"entorev\",ActionReason=\"quuntur\",ActionExtraDetails=\"olup\"", - "event.outcome": "success", - "file.directory": "minimve", - "file.name": "reeufugi", - "fileset.name": "corepas", - "host.ip": "10.2.204.161", - "input.type": "log", - "log.level": "low", - "log.offset": 44555, - "observer.product": "catcupid", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.3167", - "related.ip": [ - "10.2.204.161" - ], - "related.user": [ - "eumfugia", - "ore", - "quela" - ], - "rsa.db.index": "olup", - "rsa.internal.event_desc": "quuntur", - "rsa.internal.messageid": "8", - "rsa.investigations.ec_activity": "Logoff", - "rsa.investigations.ec_outcome": "Success", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "texplica", - "rsa.misc.group_object": "sequines", - "rsa.misc.reference_id": "texplica", - "rsa.misc.reference_id1": "entorev", - "rsa.misc.severity": "low", - "rsa.misc.version": "1.3167", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "ore" - }, - { - "event.action": "cancel", - "event.code": "utaliqui", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "les 2019-10-03 20:11:40.172538723 +0000 UTC norumet2571.internal.example %CYBERARK: MessageID=\"89\";temp 1.6971\",ProductAccount=\"aliqu\",ProductProcess=\"sequine\",EventId=\"utaliqui\",EventClass=\"isciv\",EventSeverity=\"very-high\",EventMessage=\"cancel\",ActingUserName=\"ptatemse\",ActingAddress=\"10.33.112.100\",ActionSourceUser=\"catcup\",ActionTargetUser=\"enimad\",ActionObject=\"magnaali\",ActionSafe=\"velillum\",ActionLocation=\"ionev\",ActionCategory=\"vitaedi\",ActionRequestId=\"rna\",ActionReason=\"cons\",ActionExtraDetails=\"Except\"", - "file.directory": "ionev", - "file.name": "magnaali", - "fileset.name": "corepas", - "host.ip": "10.33.112.100", - "input.type": "log", - "log.level": "very-high", - "log.offset": 45067, - "observer.product": "temp", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.6971", - "related.ip": [ - "10.33.112.100" - ], - "related.user": [ - "aliqu", - "enimad", - "ptatemse" - ], - "rsa.db.index": "Except", - "rsa.internal.event_desc": "cons", - "rsa.internal.messageid": "89", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "vitaedi", - "rsa.misc.group_object": "velillum", - "rsa.misc.reference_id": "utaliqui", - "rsa.misc.reference_id1": "rna", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.6971", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "ptatemse" - }, - { - "destination.address": "lla5407.lan", - "destination.port": 4762, - "event.action": "block", - "event.code": "95", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "%CYBERARK: MessageID=\"95\";Version=1.3175;Message=block;Issuer=neavol;Station=10.94.152.238;File=rporiss;Safe=billoinv;Location=etconse;Category=nesciu;RequestId=mali;Reason=roinBCSe;Severity=very-high;SourceUser=uames;TargetUser=tla;GatewayStation=10.151.110.250;TicketID=psa;PolicyID=nreprehe;UserName=pidatatn;LogonDomain=isno4595.local;Address=lla5407.lan;CPMStatus=upt;Port=4762;Database=itaedict;DeviceType=eroi;ExtraDetails=onemull;", - "file.directory": "etconse", - "file.name": "rporiss", - "fileset.name": "corepas", - "group.name": "uames", - "host.ip": "10.94.152.238", - "input.type": "log", - "log.level": "very-high", - "log.offset": 45585, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.3175", - "related.hosts": [ - "isno4595.local", - "lla5407.lan" - ], - "related.ip": [ - "10.151.110.250", - "10.94.152.238" - ], - "related.user": [ - "neavol", - "pidatatn", - "tla" - ], - "rsa.db.database": "itaedict", - "rsa.db.index": "onemull", - "rsa.internal.event_desc": "roinBCSe", - "rsa.internal.messageid": "95", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.category": "nesciu", - "rsa.misc.disposition": "upt", - "rsa.misc.group": "uames", - "rsa.misc.group_object": "billoinv", - "rsa.misc.obj_type": "eroi", - "rsa.misc.operation_id": "psa", - "rsa.misc.policy_name": "nreprehe", - "rsa.misc.reference_id": "95", - "rsa.misc.reference_id1": "mali", - "rsa.misc.severity": "very-high", - "rsa.misc.version": "1.3175", - "rsa.network.domain": "isno4595.local", - "rsa.network.host_dst": "lla5407.lan", - "server.domain": "isno4595.local", - "server.registered_domain": "isno4595.local", - "server.top_level_domain": "local", - "service.type": "cyberark", - "source.ip": [ - "10.151.110.250" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "neavol" - }, - { - "destination.address": "iquipexe4708.api.localhost", - "destination.port": 5473, - "event.action": "allow", - "event.code": "179", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "mporain 2019-11-01 10:16:48.692538723 +0000 UTC eratvo7756.localdomain %CYBERARK: MessageID=\"179\";Version=1.4965;Message=allow;Issuer=alorumwr;Station=10.146.61.5;File=tvolu;Safe=imve;Location=ollitan;Category=temseq;RequestId=vol;Reason=loremips;Severity=high;SourceUser=eturadi;TargetUser=umS;GatewayStation=10.77.9.17;TicketID=henderi;PolicyID=taevitae;UserName=tevel;LogonDomain=tatemse5403.home;Address=iquipexe4708.api.localhost;CPMStatus=quuntur;Port=5473;Database=amremap;DeviceType=oremagna;ExtraDetails=aqu;", - "file.directory": "ollitan", - "file.name": "tvolu", - "fileset.name": "corepas", - "group.name": "eturadi", - "host.ip": "10.146.61.5", - "input.type": "log", - "log.level": "high", - "log.offset": 46024, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.4965", - "related.hosts": [ - "iquipexe4708.api.localhost", - "tatemse5403.home" - ], - "related.ip": [ - "10.146.61.5", - "10.77.9.17" - ], - "related.user": [ - "alorumwr", - "tevel", - "umS" - ], - "rsa.db.database": "amremap", - "rsa.db.index": "aqu", - "rsa.internal.event_desc": "loremips", - "rsa.internal.messageid": "179", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.category": "temseq", - "rsa.misc.disposition": "quuntur", - "rsa.misc.group": "eturadi", - "rsa.misc.group_object": "imve", - "rsa.misc.obj_type": "oremagna", - "rsa.misc.operation_id": "henderi", - "rsa.misc.policy_name": "taevitae", - "rsa.misc.reference_id": "179", - "rsa.misc.reference_id1": "vol", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.4965", - "rsa.network.domain": "tatemse5403.home", - "rsa.network.host_dst": "iquipexe4708.api.localhost", - "server.domain": "tatemse5403.home", - "server.registered_domain": "tatemse5403.home", - "server.top_level_domain": "home", - "service.type": "cyberark", - "source.ip": [ - "10.77.9.17" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "alorumwr" - }, - { - "event.action": "allow", - "event.code": "saute", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "%CYBERARK: MessageID=\"83\";tvolu 1.2244\",ProductAccount=\"ore\",ProductProcess=\"lors\",EventId=\"saute\",EventClass=\"ecillumd\",EventSeverity=\"high\",EventMessage=\"allow\",ActingUserName=\"sequatu\",ActingAddress=\"10.128.102.130\",ActionSourceUser=\"mdoloree\",ActionTargetUser=\"que\",ActionObject=\"inBCSed\",ActionSafe=\"cteturad\",ActionLocation=\"umq\",ActionCategory=\"ita\",ActionRequestId=\"ipsaquae\",ActionReason=\"olu\",ActionExtraDetails=\"exerci\"", - "file.directory": "umq", - "file.name": "inBCSed", - "fileset.name": "corepas", - "host.ip": "10.128.102.130", - "input.type": "log", - "log.level": "high", - "log.offset": 46542, - "observer.product": "tvolu", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.2244", - "related.ip": [ - "10.128.102.130" - ], - "related.user": [ - "ore", - "que", - "sequatu" - ], - "rsa.db.index": "exerci", - "rsa.internal.event_desc": "olu", - "rsa.internal.messageid": "83", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.category": "ita", - "rsa.misc.group_object": "cteturad", - "rsa.misc.reference_id": "saute", - "rsa.misc.reference_id1": "ipsaquae", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.2244", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "sequatu" - }, - { - "destination.address": "oremip4070.www5.invalid", - "destination.port": 1704, - "event.action": "cancel", - "event.code": "150", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "2019-11-30 00:21:57.212538723 +0000 UTC moen6809.internal.example %CYBERARK: MessageID=\"150\";Version=1.7701;Message=cancel;Issuer=reseo;Station=10.31.86.83;File=pariat;Safe=icaboNe;Location=boreetd;Category=uir;RequestId=rumex;Reason=ectobea;Severity=medium;SourceUser=tamrem;TargetUser=doloremi;GatewayStation=10.200.162.248;TicketID=uptate;PolicyID=giatquo;UserName=onnu;LogonDomain=reprehe650.www.corp;Address=oremip4070.www5.invalid;CPMStatus=turad;Port=1704;Database=billo;DeviceType=doloremi;ExtraDetails=ectetura;", - "file.directory": "boreetd", - "file.name": "pariat", - "fileset.name": "corepas", - "group.name": "tamrem", - "host.ip": "10.31.86.83", - "input.type": "log", - "log.level": "medium", - "log.offset": 46973, - "observer.product": "Core", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.7701", - "related.hosts": [ - "oremip4070.www5.invalid", - "reprehe650.www.corp" - ], - "related.ip": [ - "10.200.162.248", - "10.31.86.83" - ], - "related.user": [ - "doloremi", - "onnu", - "reseo" - ], - "rsa.db.database": "billo", - "rsa.db.index": "ectetura", - "rsa.internal.event_desc": "ectobea", - "rsa.internal.messageid": "150", - "rsa.misc.action": [ - "cancel" - ], - "rsa.misc.category": "uir", - "rsa.misc.disposition": "turad", - "rsa.misc.group": "tamrem", - "rsa.misc.group_object": "icaboNe", - "rsa.misc.obj_type": "doloremi", - "rsa.misc.operation_id": "uptate", - "rsa.misc.policy_name": "giatquo", - "rsa.misc.reference_id": "150", - "rsa.misc.reference_id1": "rumex", - "rsa.misc.severity": "medium", - "rsa.misc.version": "1.7701", - "rsa.network.domain": "reprehe650.www.corp", - "rsa.network.host_dst": "oremip4070.www5.invalid", - "server.domain": "reprehe650.www.corp", - "server.registered_domain": "www.corp", - "server.subdomain": "reprehe650", - "server.top_level_domain": "corp", - "service.type": "cyberark", - "source.ip": [ - "10.200.162.248" - ], - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "reseo" - }, - { - "event.action": "allow", - "event.code": "iatnulap", - "event.dataset": "cyberark.corepas", - "event.module": "cyberark", - "event.original": "%CYBERARK: MessageID=\"166\";cul 1.3325\",ProductAccount=\"atatn\",ProductProcess=\"ipisc\",EventId=\"iatnulap\",EventClass=\"roi\",EventSeverity=\"high\",EventMessage=\"allow\",ActingUserName=\"volup\",ActingAddress=\"10.103.215.159\",ActionSourceUser=\"ddoeiusm\",ActionTargetUser=\"apa\",ActionObject=\"archite\",ActionSafe=\"tur\",ActionLocation=\"ddo\",ActionCategory=\"emp\",ActionRequestId=\"inBC\",ActionReason=\"did\",ActionExtraDetails=\"atcupi\"", - "file.directory": "ddo", - "file.name": "archite", - "fileset.name": "corepas", - "host.ip": "10.103.215.159", - "input.type": "log", - "log.level": "high", - "log.offset": 47494, - "observer.product": "cul", - "observer.type": "Access", - "observer.vendor": "Cyberark", - "observer.version": "1.3325", - "related.ip": [ - "10.103.215.159" - ], - "related.user": [ - "apa", - "atatn", - "volup" - ], - "rsa.db.index": "atcupi", - "rsa.internal.event_desc": "did", - "rsa.internal.messageid": "166", - "rsa.misc.action": [ - "allow" - ], - "rsa.misc.category": "emp", - "rsa.misc.group_object": "tur", - "rsa.misc.reference_id": "iatnulap", - "rsa.misc.reference_id1": "inBC", - "rsa.misc.severity": "high", - "rsa.misc.version": "1.3325", - "service.type": "cyberark", - "tags": [ - "cyberark.corepas", - "forwarded" - ], - "user.name": "volup" - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberark/fields.go b/x-pack/filebeat/module/cyberark/fields.go deleted file mode 100644 index 92881453766f..000000000000 --- a/x-pack/filebeat/module/cyberark/fields.go +++ /dev/null @@ -1,23 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. - -package cyberark - -import ( - "github.com/elastic/beats/v7/libbeat/asset" -) - -func init() { - if err := asset.SetFields("filebeat", "cyberark", asset.ModuleFieldsPri, AssetCyberark); err != nil { - panic(err) - } -} - -// AssetCyberark returns asset data. -// This is the base64 encoded zlib format compressed contents of module/cyberark. -func AssetCyberark() string { - return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb9+78pOUjW5tR8+ynVdXWzUFYpokIgwwBjCkmL/+Cg3McMjBUBIFUPK72w9bsUg2uhtAo3/3d+QK1q8JW09BU331F0IstwJekxP3l+/e4J9KMEzz2nIlX5N/+wshpPsBmXEQpZn8hYT/eo0fu/99RySt4DWRYFdKX024tKBnlMHE/b37GiFqCXqluYXXxOqm/4ld1/DaYbhSuuz9vYQZbYQtcMnXZEaFga2PB/i2/3tPKyBqRuwCWsRIhxhZLUADfmY1nc04IwtqyBRAEjU1oJdQTgb0aUPvQMxcq6a+PSm7TN0si1hLKrbIG199bP3YEptFKjPf+vv+FcY3bLArHxfcuO8RbkhjoCRWEUZr2wT+a7oiFRhD5+7f1BKmKjCOaOU+3wFNyFs1J6fAVAk6ToiHxXeROpScFi4sQdrCkZYYcEA4M/cDyw3ynClpQVrj7geXxlJpWzRMFEfLq0MQLKnd/WCIHfc4uSUItWS14GxBKDFgDFeSLLg1hJL3YH/nVoIx7e5PBkejI9YsVCNKImEJmkyhO3c11QbIO7DUoUbJTKuqt9TTt2puXlxQdgXWPBuAP+UamBXr58QGvCn5AF5Y+BMue2hOoowUsARxACeFkrv3c4uTp1BrYNQGTEqYcQklUVIgWpZOBZCK1nGsKjMvkl2YPXv8Ltzz89MfyJKKJtx4XoK0fMbD6YRryiwRau73Sw82AqnjDnw4Lfg9tx011ZazRlCNvw8bOxk9GQPQB52U2MkYQB4/KaNbsjzunrz8/3uyf0/cqnk25H7XV03/KJCQ3W15NNgt6SFCLztqGoxqNMv09t6fbbnu//0wM5ZaqEDax4gcbUpuCybozh1+JOiBtHr9GBFbOJ3qMSLG5WGI5dWYWsnxeE9aCfQQ6ZGXbTOAMqUNNaLXxOzM3hdbt4DDZqCHDJSE+1kRO3rIAPoNVsQ4F3dcK0fioux5VaLs8+wakJmIfSTCwTuzjx1DrW4k/9LARo3WHf3hT+tto/ZESeYeB2rVY7dsR8TNkucVh33unrhl+Iwz2r/Pb9WcnC1BWnKJwpk0sgTtTBANQVANSJ/xayiJAeuAbP14ew0zbrC0mzCAfW+DpduEAeg7bcrQE5jev3TYwRzQdQee3I0HC2Uy6av9c/mrMrYvIsXuiTQgSy7n7Ycmdmx6PqSvh7/8kAM2+NEoY88vlj8RWpbaycqx677L3AH1Vn2tzF2+ys3eV//vstdxK79s2JUL3pHW95aVhJI5X4LsnGRfryLgWHSY/yKvBVI+RuXv64hojDo0VL0uNHzJsNf94CFuMNI9XSOXz/zS5AIv0vPgzbaUfFzXQBgdSpApEOB2AZp8Opf2h1dEafKLUNT++JJMqcFT1AbIZnzeaFT9bqD7EHX3K6Ybw6D5jM8E/gX367nK5WbbZx23K3/1DgalV1SX2ZS6nkTrkd3n5PnF5y19jxINgu5uKSFmbSxU4RENaDtoC/An1XjmuX8rzedcUtH+ZltbuYEPufSvPYkR5xefX0VYENAfcOL+LOgwGnI5xeuzOahDxfHQ12cBtAR9lNj1r7gUOT+9T5TU49sPliKYw2Klj9rJJliR3c9GW0XrfKNo4UVxpsuJEgKYVfprFMCOew+Qc+POHDeEedZB6TDdUlTfql21hexh9CO0+Co2fSyqaqUMJrtVSpLperBphGj40oCxDqDhVS3WYZ/cl52gJ0DZghheAnn6PbEL3ZCXP//8jKyoIQZAdqvs4cSjUF5vwQlTK2kgHyvYV3MqmGqk7XwKTTX1Qs9dZROFQJ7SqVpCjxlcRjMrW/FmrAZajd4f9tUcmwdmFZS82dXTUjDqm5jm2DkW+Ixw+8/m5fc//NV4kf6iRgHaIv3PATX/dPbgW7oGTV6SM8lobRrhIyvOpLyTXI9Bv2fwI5JbGVvlx5fkXx25z8mPP5J/JUxppy8jFWHR5+S/C/s/3Re5IdtM+Sa6hVKV8GhtXbmCglEhppRd5dWAPXJSWbw21Hq7wjERZFkrLi2aJhbiCc54OArQWmXKT9vog6YGxqlAjBFTY5V2mrVce63DfbCkgpf+YMSQImSmGlm6F0YAIs/lPChHNyYvbt+IAeQUscBwHfaEjUZ2YS0ULR/LOxfQIYb/CaQCqzmLWB3BFO5/GW1h/9y3Qtg9+9RuNFo1a7dtQn5VK7c1Q5uTS6K0M8asIlcA9Q1MexQv3lfCNK0YGFMseVmUuaKuZ63kmYMETS1e8tJxsGcXLrm2DRXOaN/yvcuIi4NX3JndGCtHZngqwlU/PyXaSWuDDhVkGtVzsN3XbuSE0ZmSnh6cEz4Tbj8ndJZQ0FDwn5+2vtcPUCkL5DKcd6YBH9rpekxQuv+1gZivIPASVipMLXjOzIZHbc4bPlD7H4Vu5mRuxvOOt869AeGst6eutVrCE/JfI8LoxcuMiweI0btVnXF0cfLmIui+jErHHl7VSu9qvASfyK8uDaJ5HO6PT/6pQkMcTfeYK3XblG82P9kY7F7PQct8Ql7+/IqskO8VUEmoEHFfATr1UU3a+I/ICjR4sNQSAdRYouROucg2Ex9cTfy6mRi5qznCtoF3vytdIuMwqwnYQiqh5uvdQNyM64EWS8jPhC2opsx6JrpLvUb80WkuSSNDTo/Y8pmPVtSmLuj2gfqcQYQ9sUu0KCqnZCrZhhE0XY3KNJSsO2olZaix+hiFDD4HxVijW4jGUllSXRKpdEUF/zOW36t0FeVPGbIcDmaRaqaDJ+lOTNpg3SHzQvAZIMURA98AU7IcUbA3210Ym9PPsocgLpmqagE2egBGnagUFXir+Y4Y7NWbaftAB/nSrR09zmNHeftkjh6/Skm7SLRNm/rUVDkvmyyn8oEYfybLHGx3IP9UMne3hT1i0a3eqpg+vfbjLocHIirbjX5DLFzbcPnIErTplVOU+/LAIvt738O2BpqKzE2ZHlO6hDLfOxiSbMIzZboVWx2jzbTpvtiPrw9fK62qCUJtsCjfMJBUc+XV+qoRln9nOWhC61q01S+bXjYVlXQeK80lRGB4p7UXPVIeV0O4fWKIWkkfGbO0qnc9gwFjt5pDcXj7rCFswZ11o0owE/KuMRbNpD5QdyupHcnLpRYO3KS9Amw2c3gv4RiaEG5yu6DnnYYZaJDMHwjqVOuSL3npNBs8D3FBdtkKso87zIsTeV1zfTQKN/vpY0HX7iRyK9aeWOOEntPXHFJ4QPf7RhNu+qgL57mTxp08mwyW7NLJVJNaAlUDRe6+EDv+p74qqEF+aaA52lFyp9ufoo18XFFDEIly5Nwgcj+kZmpCpWCLoRlk2ryyGV7feZUD17rIgGpd5NCe65SiaBvoy+RQM+hKvVfkYUzIHfMx+sYMnss7vTmHis2b5NohwYLNA7HTDSG1I4iygRKfQrE2jcgddhqxolRjmarghcehM14wK1vNBieEysCCLQNy5IDAEjS3OUtH9hDWrh6KAHuRnX0un7zFi4Pegf6V7ipdHDSMO9XA+IxvDJ+4duuDOWM9VYKunD+bKbIBnYuRl5uCidZFVYYgSxTvYDYfaxM+b1vpfUtQafLbZUiN5aZNCNj1q+H67Q6NVUmaWhmeUHDc6myhOS1L32EKU/nbuzvahacRtsjXuuiOokg2FWjO7iqLorQdoYptD2H9SrbuZnix5O/3gLQlyFLpkDC7lzI1/eMBute0oV01/QNY3I52iOWvBR+w20nQ/Yh5SZ+zV903wwsZqv6DmAlergXtcoulsoSSReh4EU+gFWpetIkqDyLU24N4Z6F+jJ4pW7Lv75huhV2rUXzEFX8lOFvnvj175MIFIhCaa0uxHpHLjciZNx1n4IdGACIWF6dKWrjOrbF2CJ1L76/b9EOlZWnc/+GjSkWLUKwBzA2PM1tQOYdCwiq3LBgLXMKqF+pHJcRazaeNhZ6EGOboG4+609b7z19cdJiaJhN2HecEz9a2ch/T0BDczS/yyPT1t4hxixVgjmFtw0GzyfnSS9ATcgl+UxoDekLngK28Q6b7TOkWhwHsFozX2xn+nvjf9/pWKE2mWq3cZ+1fg67pza7RftLn5QXVNrWbrgOc2qMS7pQaVIce604pUXZqY64rpWoIAcVcb/EbSagAbbvsIr1ZNPzNh7eC+Og1AcAkpIjCXBKp5HcaakBLZl/2A5oNx3xyWKO1uzCdvYI7iXrcC+4jbG34Z0DZittFUJa9rCenuOAUq00kUfK7uXL/veclQCWliCiOGemmvWDgC0TAIalmxEkHy8FMyOVGpuwONuhXVuXB+MSX8zXGGTG+ZNQn25RB/AbGU8JEY2x7IMM/BtuEP+HG7WSoiQ7+Daf44qfjKtDRtR9/w+IWvW/LlE8pe3KT4eWwPEUsCDVGMY7+UrcbUXsSN+wtv4LXhJJ6sTacUUFKbq6ek1rjTJTnBCx7EleUqaaH1F7e8aH3dTaaVmBBG1JTg128DDZy8L0ImKoqJ8XUVtB+WFoDlu1V9/x78FAaX28PMzxMXnwzVdXN8A5m2DZKVlyWahXyaZmSDGr7vMukGGXGgMxZI8SafGmo8M7PUlWUyyA1ZG8hoUaerr7XM5W6tId0pxK+5fIKylAL1CaiU4PeqWCguE++6VCb8HLfxolBV4isoq4/2cm7JXYRaNH77fKh8PqtDp5Xcjls19MFnUFXfHewU24Xa1gTsfXnf7+m/WNiTXvGRf473pH8C67WXWMNZcOAtJEjiLvbDGhORRF5TbM9Ipe4ZKs2776PvQfQvTCjfgFgV+aglgMpPMZhdffQLahZdDfUqYWRKsOGLXzmb1tj05UZnrSQdlqEOUK6ZSZGM/er7t/DSlPi5LkkHHPuGskEUO3+hI3wNqiFAsLg7dRtYefN0Qcv/Jphn6dH/WIxVU257Ppm9x+sUDaq7/B6LbluzLE9fX1tBBEY9/gdJ0AauRInfnXfk3HcU+otuOyu8Y593st8fkree0nzNDRuIH7aXij6dbg9i+vV3gH9EL78nvv5/BRZGkreOjEx9B5sR+R8GqAnYeIPkZMFK27iRurSrHP2st+O6oYCba8u7PVjS298H/HUONafdAuT89MbNdlU/rkbNFmH2EtZbjTaCTnx9Zmh36nwH+zXZhFBvf2NH74J7rhpY7vKTWW7x6iRAoznjPIPykqRJdWcTsWgCtA3ZeCS1IKOCAID0mTtj7K1oX1V1a88cZLKaRhtfSF3+3z54vxiV4cmoWWs9yiM1WUfOFDw1rWQm0iLR5KcS0su+VxSFBYjR7RWOmfz2icD+eUO6UWruyns6oj/6RDp3WU8ZaWKHJz3v30kXDLRlODEWRhk634+IU/PrmlVC3hNLrxDxINF6T2J+0UwMnf02CY6pzZPSxwzbq6cyn0AXncoxeu5Md+Hp+EDN1d7Qq5W8/kcdL4RdnGWfe7HAgIOqJ0uNJiFEqU7Pd5WH5k0uhV6P4JnYRh7D1L56QevYzzrmnGcn8bLSG4dnWeqqosj513hroTcKxzj6v17ppl+59BREutTZzhuRpUNG7PSglr6QFljfcw7aak0dh5wcr3Fb2RKHNXliuqHydAbdtV30pWGh8gRMdIa+akTopS8o6ztpxxXbp0IOqodo+R3rYKq90shb2smH2qtgZrkucHGUtukUpw7fxTl4sHMDrf4VF0TXr4Yf7/cy9ocA0OH0adB42N/FxwW8avbvmOZp+8NDvnpcO7eIc8Zl6pJFePs1ZGYefI75SRpSqfDwCP7U2LAuTszbh2JN0I4uUdMwxgYM2sEOXPrE6ZKMO5ItM1+45YFlyVcJ2aA4MYepnneU7bgwmiK6RaJKWiMb1ZUc4EZPBEPno+/yzmhyMTv3G+jlMkM51BNfXOhB9KIw+rkaZfPWYM2dSi69RJmwLKgImwS4tsOT89Gigy9m2v4HudOKPHKV5fkFXxV/tvuQ8qlISVYykXEyTBVje39boQ0JY6em9l6bGmXx4Z4jD+kFqpaZMvmeUNKmNEQAgqdL9sYfsjWdFrxErSgayzksio8ruRp5Ea6D9DqDr+GWVsF7n31xnLbYGNGEiVsYxsMGzbd97omjWL1/DuMpsY0g6xiqqrcfcpzjE48dMJ7yb61Vkteev9Z20WuAjOaCFUqdnig8e7esl+42GiNrJ+XF1cNrmtMenoYWd+unlfW/6GmB/qdDibvf6tpCMDEb1fN8zXOPcWEYr/zlxfn5HygUPXRyNa1NlSX7McgYWFXVw07T2pI38UfFnKr48q9FxHFVJW5K74GFXe7SkfAhThcRtSjRfpuCT5kcITK854LOJQO+wTaLh7C57zsQjkjTrwqtdU4KANP8PKnU/I6uusm5zPVTve++OS757SBKEzWuAbW9L0IPvVrCrHy1rYL077EjSM4QqJe8XLbIdJVV9Il5YIOAxmkc4UTrK+cgdYjkxb8HTrE158u7haMlSo0gPIB2AFJId3A8PlkRCLyqpg2ZblO7p/hVZG0DqgHtzFwWKPzvV6q9BA1Vwm7HOyU2BWmOUZBAjf97FXfc5U2JbddZd2mL1rAKDbYblOx4UXJJrywn0ifJZaag8ujWeUnn8/I01Ar8bkRTleecoEFHJgHdnZdK+O++Yx8N3Q0yN0ozJVUK7llCBlgDTazWG5DH5m0yegRXHC7aaEnbZX7+1Ca9BbmlK3Jp1FzTfCppg9RlB8W3mIxl6SiXM40rWBvOkZNNU7tzd8nYUu5vMBlyXtV+uToTVvAXtZZBClyg/aFqQKOEbkspO2+ce9hRX5tJJqS71QJgjzlcjn59jnhij0nU/d/4P6PSirWhpvJt/H4omV1MRN0MDk/tQ61reGfXBBcFH1dKCfX7fArNdvbqMGqrJj6v04Dnm0bBAPaHeQoQssqrdzdwezzu9+pBvLRJwB/++3nd7+/+XD27bc+53ZJNeWjZ3Kl9FXKkuUbL9jv7YL9CNuoE4zK1EpEqNlJ26Wkew4oc8/FOoMJM1MapOEspQDpuZIyYFyl94JE4gOpgBYryofDie/tHcDe56mBuuuTukTdNNNMl8JOS2N16sp3rNfO5hDrv6XJ3tG25iOfk/TQYpfNYLCBShOKTTZ1L6HexYGY8VFHU0tqNkfsoaRGuxFFyNwt74kL5YP7Cd7dceGQD/r/h+GqG5XZT/57kCNW9nz0AZG9SD7I4WjjuPvwU+oISVtbO9uzS5/aLqO9zbLDPpnP0O02OLk3R6bbltX8GPEwLPqaUS4cr9tmLhdBZpyf9mvbsBOXMwctzCMtDMazCtuc68KpiAfQc0jiNaZbh+qjE1VVjdz1RA2wk4c1brovdu/h2v4d4jp1h5s5TLO+L26XVJb/ruJRsw1ullp+iGS4N3bDhbeQM42pOeMqWZbosSx4xH5FtRwGHR476kZWdaFyCePL9+8uyG/ej7pJSo0j8uWoqQSX//GWfGlAj/RubYQsNOx26syb3NBziK7Jh7boLJrW1WnpLOFD2geqUo8RcEDrgxxHN0G1keDYveGW6Qc0UEF1lWG3HNgM7gVaJyxA7oA2ZbKptFsw03a72gJdUrurFd4X7hQkW1RUpyor6eCuazoYX3zv6BNlg3SqJDCLRfKzwGCWtoCqAzybY6ulDGDV9I8MUGuafBKG7ziV/Hhh0L3gqR+c0LmtAqd6JkdaFpThYJT05ScOtpEJjfce4Om8Xv4kr+0i+fvOZMGsLkqTtO96D7qDfFjk6RaAl4ImlxiyADnnMmFR5BB0jtxoWcwKs+KWJZcfspgJtTK0Sp+70oct7TIf9AxRFyYLLnOKEy5r0NV0nSzhfQC7Zld5gC+pyHFWeF3UWllVpA9JIfTlTwV6HNPDFtnuplDzoszBbAc4ff4bk0VFrwtrU7kNtgG7Ey0gw6NQcZkJaS7zIV0LU4ipKFKHRbdgf58RePLO4D3YqXsh9mGnrurtw/45I+xXGWH/S0bY/yMj7L/mgW1VLegUcoiUDnp680wWVSNQ+Z6uM7yTLfD6KoNeUjWCz6s6j/bttEwq5qmTkAJknkMpMfCFpfeNyML4hMQMO2g0y2NNOsB5rEmzNk2dYRYpk11ZdRZT1SrrTA+4ziBCrLLOMMsFG82aLMAbya8llcoAy3AIl68cVzI9CstXqrYLoGUGt5qq6oKJDD5sBzhDkATh6unapneLOsgmC+S6KTLENJjmljMqMhQQmYLOQbJ1wqyrPmxJxfpPKKc58F4W2AY0C2TfDiYP1j6xNgv06bxevsrjgzbFlNu/Zmk0xkyRdlbcDmCtkotqk+WaI1RgOn2Vm/E+/mSztnqAwS68nz+9c8QDR7UvC3DfTT5dB7ke7BkXkMOGMcUsxybyWcri7G3AOXQDU/AakxSLLKKO18ufSmPrQTP/RLCNZllgCz6DHGaMQUdzBSVPVjC6DZvLPKekUmUjwDCVg9sBOJ9nkE2qNitqk87870GPZZAnAaxhzo3VNL0nZAM7g8anoc7Fap2N1wY7ketM8tVn5vsjngG61UCrDIqkLwXKhXY+5Xq1UNwUfsJseuhrqmmWA16OFMKmgLz08+1Tw+XGUpl8znFp7LTRqYYFtlDBzwrKAbVJjmt6PbqtSU4NFic3zNIPuz6008A+mHNalqnvAC9Th1Xb1kEZ3iJeFUwrVWXpSuQAZzDTeFXkSY4MHY9ysLm+St6eqTbpW5by2tSaJwYqqOW2SZ59JriEdC12NlBN0ok6HVwsvk3v1hLKdz0tZkIlf8474BlS/p3Nm1zqOKAZJI6zoTOgmjw3Qah5lqMr51kucK10agFWTZt5jmtWccNyiIXKZDmwOeZASLDYXCk53OQy3DeATp3x56GmTseTq1VqCyRLRZnyA6CTW6IqvWakNJ8XkXlc94a7kqDTv1l14YfyJgebdDL1Bqwf8ZrlkGUo3AwzcVILgwA2tTSoC+9ISo4uNcZ9WLBFqjr/AWi4rnnyQEANupprKu2g524KyKssgNM/vb4T2adPO1NAEwDWal5QUyccGNAHrWlqqBqoyKHfaWDIB991NBPw9Ex2kNO2cO1BVrrMgHF6R6bJ4Bs23jecIR/AQOpEAD/wOINxYuBL+gMQa9CaDGoGU8rweQbBa+rUXjajWY57oFmZXJE2msW64iYAbNON2OrDbEzyrppLJlMXSkSnxd4XqG/SmZp8O7fpj5UHmj6i1830TA13XSfv1tqU0yx56I0WGd7CxoAuSp666j3L2Io2MpSDDZYZS6vU3uBlwaWxdJZBM1hybXOo4ctaZmjdZJVuZEo3a6wtWqSj6JvGKvKhkWSwdJc9knFY3mcqeElONJTckhOqy9DN0GD79zg6fnJWRi6NTQhFMDhEn2B/A6YEiZXqdPkQXObj3FlVC7WGwWDBG/k3U02ypt63PGOOh95nhPPONMzhmlR0t9HCJhYr583uMJDsSApucDhDu3rYemygRExT10pbMmw8SshqQS3hltQaZmNH4R5puXcZQhFjfLA6OhQIl6Gz+0hfaMFl7on8PVTdan08DbFqDnYBerL5vlmoZvCiESJhCbobR2QVqak2QN6BpTgR3N9V2rHg6Vs1Ny8ufNnrM3IaRnw9J3YRmVKEzYA/QBh9jGhL8h7s79xKMPF9Hh7qLMyb4cju7hbh4p5YA1SzxYRLHsUPZ+4eob/2jvjEWRiYDPFC0EbirN95g3Nc2ybu8QbuO/3a99CUvx13R1PXhDvMLx4x9t1GFAlrmm7XeRWXJR/h2uKtGHMXHGMa9YhA2gyue48TqqUYmXiJ3XMzjgPH/rkGLNHwpQFj9zTtPjxb+e698r3KgGN5/KpeYu96pLq80213yj6cPEYYG9v6O3ZoN6+jlKec/X/zfEO32PlpKxRw7fjZQKshXRLvHY+we1ym1ADx6dodNmRwq7pdCr94GHxlNwq+w1xp374+ykZCqCEGAMed0f3zqjSVhrIjjPcddJj2S0tUezeHhjUaJ6DtQ7oGXXGvbhwL6c2SfjAHX3IBcyACliAINYbPpd+4zbz++NHHlswPKL9x/T0nffogk54dZo3kXxrYHZNI45evh+9hHRMPm4LSajS89BeSKSkBcyvIitvFmKAgJFIZ0mnsGg4qL7qzaeHYifKke6KEmnNGBXEYjJg+iMXDYodLjYxpfDje1Yu1iaPXS2dbqZ2s1tQPPBWcmmKhstsE3ojrzDWcpbIZauSkYn8ET7wfAPGXxmGLb1oYxMIEUD15I4xyhvjWfTvFYDn5NfxiQt7IdfevAXSLtryRltBywlRVNxZ0XAxnceM7wvKZZ9/s7gXOWNzaEG7/2bz8/oe/Otv3tLcdLce+iaIdzmmRNmJ2W8cNXYMm/9L55MyLgAYiF7/1qet/8p95ucF569Tv3Y8Dk5dvkm1PdgemuHUm5P1vH88c7aDBO0/QX1pywzTUVLK10yqDeiZ2c0EIcug5+fjuNTmX9seXz8n5+9Oz/3xNPp1L++on8nS1WBMJ3C5AE7ZQJoxKU1oDs/itH179r//27EmUI2AXGWXcLj9Qpk4qGh/HYzKfvjte80t/Fs9bpOJXvHxcSPdl0w2YH9gw7tYPfAzfHcV0Y5185to2VJC3b95Hkf1TScjnyzrsZPwfJWES561D96sRoUjIzcITt+AxvsF79mFOLazoA4xIx9N9Qd6UpUY/rT/lMXS6p5dV9aFxzvvGQs5P3l34V2k0PFZRc8Tox5ZTyWuq4e0m5xcOlRHvl+PhgZMgkvDQrT3Ow1YTK/x0reMKiB66tCy5+zIVm4Btb5Z//J074gFwJiFecBVu+On2ERigssm1zqLX3fZJo+R9wPBCaduJ5IHQLTHAhhvA7fpmyWuOzHtPD5fz9jFpyXo3xngJMbvxWF7cgB1avtQYxbhTOb3faKDjECeXNZVzmHSmE1NyxueNhpJM1wgTZIlZQ3E5Ux/YemBQNDqiLUcXnWXodyAS6v79Eq7kDgANlbJQhMzu9HlG6VlbSlPQwqfiZwBdW50H+CzDkZhlqBYWOa5Drv4ndQam0rJoPXH51PJdC97RMdldre9MeAAN9swuQEuw5OO6hufkU/uMvUUH2I/konWADV6C38Y0tXZUzxGUiRHTuEU6+MWfEypEVJmoN1/EBDeqMTFvCdq9gVxaRYzFx5xL8ul8VKAwTJDNJq+Si2wHVNUZxr45wBpM6oxeBzZDiYt/EVOnoqO/PQO2frRCIUDOk0+KRJyd8pFRCx3RQL3KQ0UvACMJw3SCGaHkF6VXVJfDOd2EvJljspcm1N34a8ylm4JdAci46pm4a+JdY9zKUtEP1XlkCLaMx8yIAYVchjxXTEuouHViKYzYiJO4FFQeI45/CwdlmyDSc1EOCNx2WW4iKUtnwc7RgN1+eVJHKoFhF4Jlun5wt4vYU205awTVBPtFkxaJp2fXr9+quZrN4tPfgRV2Adm3dwvZj25Bfxt7eJ85vB26bxq7AGlDsvgo2qZJ2Tnhdgk9fslx1D8Z0KMIq8YydVxOhyXHEb5sGANjRnDGzuOHNUc7LPEE8SJOxZ0rvSaRwoQBbscQTls4wg6OTiphgM/USrp3xcmtmHLY/ZAMFKVtqpbp+tGNvJuU+K6lWDMgOJQdPcEPs6MPc0kMt01EfhIsLoAgogPUBTWElqp2r4tdANdEreRmyzzjLL1WUlUjebU4k8Nw36L+uEqEU+65LJ38Udp0DKDkFy6AvAmITQZsuI2zV3aE+Ts5mjDe0f8g6QqjLLgMWQtpuRCjMcKIlPXu92CEz9e7DPUaqTkxnhA6VTmrByLET2FBl1w1qF0yVdVaVXwkQxGOjdyZpFOBRWQzcrIfNy6XndjJiOQuhltaJ4kisIVh0uEyByAYWb/DL/fu9l7ZzX0bPXabMstG2t1yttQafYll4AU7xKy/lRaE7/EcJGjOWpKQIZjot5tawO0Cn9rYbDcSkJ2wHybG6vHgZ0vTIW23Hoyml/tpCuqFXysjXVHTtDPCLa/AOLnutT0NNYwGkcIuJGsKceNGYOPBe26DvuXROqR394MdrR9vR9MPhUk25PTWpAWH8U0UDmhDijcC4RbC4Oul7uWN1Omj7p2/aElo0zfvXLJeqscRIDfI8U6AfL3H8cebtyzVaIPjbNnt5KM+qgRJecduIT+OehxT0jY4jJ1SjyVoO37q5JU7jV0UFdiFeoAoCd3yJBOPRvja6IZjLyWtsnqd9kR1PigR/LUOkT3nMpMn5D8nP3//PXn69vTNxTNyyo3lct5ws4ASS+GjuAg1V9n7Au2LhGG27MzjEbYZvziSMaZVZq/ivvpPt6sxDLobgx75ZEOf73JdGKb9d3W/Pccf4hSLmVIZa5O+yRSjIlV3uh1CPtCSN8avQJQmhldcUO3FkxOb7g4xfNfj5VV4zw0vj9lppJ8p/8kdhNaLuNMXc3PJ89VZvJH77jqGNUKlYc//G5xE+MngLATHDfTKMsq4K1PpnIkBg5ANslrpOZX8zz1Z1TLfUbgtsw/gdP9MjbB7xnW0ljRT159f3HL4WvgWX7530VZW869AhV0wqoHUGkpVcUmjBXc98XRBLQdpzY3p8YIek9q39EGJ9a0foc50cN3VeeIEV021xWZIG1L3i9UjNjsKwuY2EnUGJWhqoSySJZXtOR9O+PzSrtgFzy60WvKyax4WvkfrWgRNdXAwQvMf96xt67RxBWdDJC+PRGW3ZOj1Z9cjZEaHh2Lm5JL76PliV3EfaQHXKZ0ph4LfVfOEa9SZej/qVULPI4R6HRU1VmqIsUp7ie+gVWAprvYEvzVx33oSp77iZSngeFLuHa53WzkX2d6e3DtIzrXjMY5D7kVYrddhSK7b6OxzUgvqtsy9z0oTkEyv6zEvP6ZCHsGevEUGne5sy1+VseQdZQsuR0y6kmaSHN/s8vqTxEz/WoMTH04/8k3OzIS8LWlNPuM/vH5UKunrTv85fDzJgi7BaU4CqCZfGtBrgj0ITa2kgVajihenOnoL/M1x5GXogcccZM3bLpDSk+/78o3j2ZJ0BFQ3B+hDaI56W0xxylNeh9nuGW9bS281MXK2YXh4uSG6kTJqx5rn3cvjI8++jdRIjV2AWAQLM/9GULLislQrQ0wNjM84c588j9UJhjzZ4QVx5Hl8Nzk35Cl2hAXJNs8Qhi6f9bhFGonv+FuYU7Ymn8x249suAlvtFtImz651KxzBYB957fumFqKCtWp4yNyLOOB41wcgUv2/VWmK5TxD9m2TnV+hHuvO69XrCMVIYfSghd8cQOxx8nrHSA0ZvsH13sq6MyR9vAvokJrjOOy6gMH23mwSMv02DHYo3pDi5uJnLBtIORJwtMINSS5hxmXw1aNwwq5+Fa1Hmg4idgcVimXCbeOA2VH/UgvGzmebm/bQS2mkN2Xnw7aWskV15Bb4m1WR4WRgHfW3I8uQlymX6SaIJb0bjmQsKsz7eEaEVL9sB7fFt9HelPdHpnYOsM779t2AdU11e6bcn59vSFkt+KCVOnG3w9myPvn9VuTZ5DNLfFsLpdf5Nvxvpqby327sGNMist1FvVXPY0+TY8vfXiD0G2h7MJVoQFXbb30/VaOnoABptaoPER2laqYD58KtznhY01nbcEM5AuLoqzuOew9PVFVTue7uI147HKfv7ZUlaPcMFVzOVFwpoOYqd43QDfJjx4psMVtB3q7osy+5cgR+aYRYk/9oqOAzDiU5xbpn7xyMorKCacGUuuIPFHT/HabEr7+xn6kY0+aTd5vdhMPrxqLKfeAI05vv+oduiTBlJ7ijvU9+Qj6ua0/6xnPgmON3cHzzNMyKpM1kd9B2OHhHhH5iYm1rd5E5hquuUy63sfOexVrp1tuPIeYPb0e2vNcrJ/FxanlR551DtIcVbuUbPfctmlqpTJrINlJuHbcfpKY27ppksqAmZbS/B1iHcvrEkBstEm5zD2rCXemM0aLRqbwhPZgGdEHn6WzKDejkz9M26KTpj9ugw6nPIFjg2oJE1Sq9ceLgJzvNnaK30LCTKpNao/JLHKOWcEvmfsRlUb16Ef77JKDwIvxHyGuKuf2pAB3PzgvkPGD03BPTD56jx7U3am1AThkGojmTissZaD0Sdx3SfRS6+or/jayPumePgGTbl3jW24bIlcKwtsp6pSJLHO34nfm4vTt2HzGDWPf/9A8YJmiND/zk9QL0cfwRTmcPGU9PT3D04zNyguvHUQNtj9QsZYTPJ6DD8E/YysLc05wXsoaOe4zsbbhb9InpdYreu9P8z0O9kndvjRLfbXLJ/4x7a/hVJply/o8zImGuLPcbWC+oGZkAZdix2wr1ttIvPj5c0G11tglQgwSXnTPWNk5v62/iCSmGz49RUbHd36ibevhxdNCykybcmCa50omQMVkqn7fufjEUxBC0zuoDHWxKX3qeucXJJQan90mno2RIdJ3BQxT56SWmdu5/jHrS8zAk7y499+A4LkKNEcUy54u+G1INjuwoMmXhjh5tkrdpNLkA8ysIFnWm5gbfbMaV9B8klK0/EYPxOqXJ+eWbf7y7IBfunSK/yZHpKxtsM1VSH4Ltx5WKY4tiiC2AXZmDnMi3E8J5e5DFhs51/Tq7FmGYBhpGEG6k4B4tFzQfNIV8ACXX49F1BRk1GhBnS21ztAmffSyXVPDSH8QIEruC8GhdrfcJQuTYFazNrthOdPLbBNLEsBfW1qbgOIM2C2jcyhwMYfQR3CY+l23li9Lcrm+4UUxVVdY+cbfE2+MRHELxEvwV1yB2Lc3ULpaVoLIw5qEG3rqVvQz/PVDb1mhFsfWlxkWt+DHSqmMIewwIYoBIxa0BZCtbUCkHjTNyt5sKqyIiIzHbI7Vt7h6WMPPw97dv3od378XO8t2DYpXe9f0n79nGzVWxVKLJxYA37RxnGebcdJOx23G+jeTWkKceCfMMu3VgYW87UXcHPEGko9SIJpM0extw/SS5DekCk+2igyVozBSYNYIwJRnU1hnKl34PR9orrFY5pa9nvDPY2xHaDtFaaUuU4++v//4mloIbZXvqc6f0/PgJlrsFBlsu1in1zU6ijWL+fvbbxfkFeUevKy7Lbqx3fFsdbUdPw9waojhCViBjQN0+sjr1KV6ymDw921c5FrPjFWw+dBF+S3J2tWPLWRak8vlp6NIbsNiLoTjepjxwr4CW4uq/fN1wV5gjy6Emmfp2o7/EmdAPlN0YxlWjFd8FdStf3PucmCaSok4N+ZuxWsn5v00FZVeCGwvl316Evz3vPuVyBiz+0YxrWFERVWToVPR+Q6gsiVFk5FhqmHNj9dpZ9scUFjW1i9Csv8OB7OIwQBKdUsdC0xdC+3otpnSvC3mnT3aYg7R6/Zf/GwAA//+GnLko" -} diff --git a/x-pack/filebeat/module/gsuite/_meta/config.yml b/x-pack/filebeat/module/gsuite/_meta/config.yml deleted file mode 100644 index 24cdb4931674..000000000000 --- a/x-pack/filebeat/module/gsuite/_meta/config.yml +++ /dev/null @@ -1,50 +0,0 @@ -# Gsuite module is deprecated and will be removed in future releases. Please use Google Workspace module instead. -- module: gsuite - saml: - enabled: false - # var.jwt_file: credentials.json - # var.delegated_account: admin@example.com - # var.initial_interval: 24h - # var.http_client_timeout: 60s - # var.user_key: all - # var.interval: 2h - user_accounts: - enabled: false - # var.jwt_file: credentials.json - # var.delegated_account: admin@example.com - # var.initial_interval: 24h - # var.http_client_timeout: 60s - # var.user_key: all - # var.interval: 2h - login: - enabled: false - # var.jwt_file: credentials.json - # var.delegated_account: admin@example.com - # var.initial_interval: 24h - # var.http_client_timeout: 60s - # var.user_key: all - # var.interval: 2h - admin: - enabled: false - # var.jwt_file: credentials.json - # var.delegated_account: admin@example.com - # var.initial_interval: 24h - # var.http_client_timeout: 60s - # var.user_key: all - # var.interval: 2h - drive: - enabled: false - # var.jwt_file: credentials.json - # var.delegated_account: admin@example.com - # var.initial_interval: 24h - # var.http_client_timeout: 60s - # var.user_key: all - # var.interval: 2h - groups: - enabled: false - # var.jwt_file: credentials.json - # var.delegated_account: admin@example.com - # var.initial_interval: 24h - # var.http_client_timeout: 60s - # var.user_key: all - # var.interval: 2h diff --git a/x-pack/filebeat/module/gsuite/_meta/docs.asciidoc b/x-pack/filebeat/module/gsuite/_meta/docs.asciidoc deleted file mode 100644 index 38402d773a0d..000000000000 --- a/x-pack/filebeat/module/gsuite/_meta/docs.asciidoc +++ /dev/null @@ -1,133 +0,0 @@ -[role="xpack"] - -:modulename: gsuite -:has-dashboards: false - -== GSuite module - -beta[] - -deprecated::[7.12] - -This is a module for ingesting data from the different GSuite audit reports API's. - -include::../include/gs-link.asciidoc[] - -[float] -=== Compatibility - -It is compatible with a subset of applications under the https://developers.google.com/admin-sdk/reports/v1/get-start/getting-started[Google Reports API v1]. As of today it supports: - -[options="header"] -|=========================================================================================================================================================================================================================== -| GSuite Service | Description | -| SAML https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml[api docs] https://support.google.com/a/answer/7007375?hl=en&ref_topic=9027054[help] | View users’ successful and failed sign-ins to SAML applications. | -| User Accounts https://developers.google.com/admin-sdk/reports/v1/appendix/activity/user-accounts[api docs] https://support.google.com/a/answer/9022875?hl=en&ref_topic=9027054[help] | Audit actions carried out by users on their own accounts including password changes, account recovery details and 2-Step Verification enrollment. | -| Login https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login[api docs] https://support.google.com/a/answer/4580120?hl=en&ref_topic=9027054[help] | Track user sign-in activity to your domain. | -| Admin https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings[api docs] https://support.google.com/a/answer/4579579?hl=en&ref_topic=9027054[help] | View administrator activity performed within the Google Admin console. | -| Drive https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive[api docs] https://support.google.com/a/answer/4579696?hl=en&ref_topic=9027054[help] | Record user activity within Google Drive including content creation in such as Google Docs, as well as content created elsewhere that your users upload to Drive such as PDFs and Microsoft Word files. | -| Groups https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups[api docs] https://support.google.com/a/answer/6270454?hl=en&ref_topic=9027054[help] | Track changes to groups, group memberships and group messages. | -|=========================================================================================================================================================================================================================== - -[float] -=== Configure the module - -In order for Filebeat to ingest data from the Google Reports API you must: - -- Have an *administrator account*. -- https://support.google.com/gsuitemigrate/answer/9222993?hl=en[Set up a ServiceAccount] using the administrator account. -- https://support.google.com/gsuitemigrate/answer/9222865?hl=en[Set up access to the Admin SDK API] for the ServiceAccount. -- https://developers.google.com/admin-sdk/reports/v1/guides/delegation[Enable Domain-Wide Delegation] for your ServiceAccount. - -This module will make use of the following *oauth2 scope*: - -- `https://www.googleapis.com/auth/admin.reports.audit.readonly` - -Once you have downloaded your service account credentials as a JSON file, -you can set up your module: - -[float] -===== Configuration options - -[source,yaml] ----- -- module: gsuite - saml: - enabled: true - var.jwt_file: "./credentials_file.json" - var.delegated_account: "user@example.com" - user_accounts: - enabled: true - var.jwt_file: "./credentials_file.json" - var.delegated_account: "user@example.com" - login: - enabled: true - var.jwt_file: "./credentials_file.json" - var.delegated_account: "user@example.com" - admin: - enabled: true - var.jwt_file: "./credentials_file.json" - var.delegated_account: "user@example.com" - drive: - enabled: true - var.jwt_file: "./credentials_file.json" - var.delegated_account: "user@example.com" - groups: - enabled: true - var.jwt_file: "./credentials_file.json" - var.delegated_account: "user@example.com" ----- - -Every fileset has the following configuration options: - -*`var.jwt_file`*:: - -Specifies the path to the JWT credentials file. - -*`var.delegated_account`*:: - -Email of the admin user used to access the API. - -*`var.http_client_timeout`*:: - -Duration of the time limit on HTTP requests made by the module. Defaults to -`60s`. - -*`var.interval`*:: - -Duration between requests to the API. Defaults to `2h`. - -NOTE: GSuite defaults to a 2 hour polling interval because Google reports can go from -some minutes up to 3 days of delay. For more details on this, you can read more https://support.google.com/a/answer/7061566[here]. - -*`var.user_key`*:: - -Specifies the user key to fetch reports from. Defaults to `all`. - -*`var.initial_interval`*:: - -It will poll events up to this time period when the module starts. This is to prevent polling too many or repeated events on module restarts. Defaults to `24h`. - -[float] -==== GSuite Reports ECS fields - -This is a list of GSuite Reports fields that are mapped to ECS. - -[options="header"] -|=============================================================================================== -| GSuite Reports | ECS Fields | -| `items[].id.time` | `@timestamp` | -| `items[].id.uniqueQualifier` | `event.id` | -| `items[].id.applicationName` | `event.provider` | -| `items[].events[].name` | `event.action` | -| `items[].customerId` | `organization.id` | -| `items[].ipAddress` | `source.ip`, related.ip`, `source.as.*`, `source.geo.*` | -| `items[].actor.email` | `source.user.email`, `source.user.name`, `source.user.domain` | -| `items[].actor.profileId` | `source.user.id` | -|=============================================================================================== - -These are the common ones to all filesets. - -:has-dashboards!: - -:modulename!: diff --git a/x-pack/filebeat/module/gsuite/_meta/fields.yml b/x-pack/filebeat/module/gsuite/_meta/fields.yml deleted file mode 100644 index 21ef9c6e6926..000000000000 --- a/x-pack/filebeat/module/gsuite/_meta/fields.yml +++ /dev/null @@ -1,42 +0,0 @@ -- key: gsuite - title: "gsuite" - description: > - gsuite Module - fields: - - name: gsuite - default_field: false - type: group - description: > - Gsuite specific fields. - - More information about specific fields can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list - fields: - - name: actor.type - type: keyword - description: > - The type of actor. - - Values can be: - *USER*: Another user in the same domain. - *EXTERNAL_USER*: A user outside the domain. - *KEY*: A non-human actor. - - name: actor.key - type: keyword - description: > - Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts. - - name: event.type - type: keyword - description: > - The type of GSuite event, mapped from `items[].events[].type` in the original payload. - Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list - example: audit#activity - - name: kind - type: keyword - description: > - The type of API resource, mapped from `kind` in the original payload. - More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list - example: audit#activity - - name: organization.domain - type: keyword - description: > - The domain that is affected by the report's event. diff --git a/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml b/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml deleted file mode 100644 index 7c82f3ed6e71..000000000000 --- a/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml +++ /dev/null @@ -1,271 +0,0 @@ -- name: admin - type: group - fields: - - name: application.edition - type: keyword - description: The GSuite edition. - - name: application.name - type: keyword - description: The application's name. - - name: application.enabled - type: keyword - description: The enabled application. - - name: application.licences_order_number - type: keyword - description: Order number used to redeem licenses. - - name: application.licences_purchased - type: keyword - description: Number of licences purchased. - - name: application.id - type: keyword - description: The application ID. - - name: application.asp_id - type: keyword - description: The application specific password ID. - - name: application.package_id - type: keyword - description: The mobile application package ID. - - name: group.email - type: keyword - description: The group's primary email address. - - name: new_value - type: keyword - description: The new value for the setting. - - name: old_value - type: keyword - description: The old value for the setting. - - name: org_unit.name - type: keyword - description: The organizational unit name. - - name: org_unit.full - type: keyword - description: The org unit full path including the root org unit name. - - name: setting.name - type: keyword - description: The setting name. - - name: user_defined_setting.name - type: keyword - description: The name of the user-defined setting. - - name: setting.description - type: keyword - description: The setting name. - - name: group.priorities - type: keyword - description: Group priorities. - - name: domain.alias - type: keyword - description: The domain alias. - - name: domain.name - type: keyword - description: The primary domain name. - - name: domain.secondary_name - type: keyword - description: The secondary domain name. - - name: managed_configuration - type: keyword - description: The name of the managed configuration. - - name: non_featured_services_selection - type: keyword - description: > - Non-featured services selection. - For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings#FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED - - name: field - type: keyword - description: The name of the field. - - name: resource.id - type: keyword - description: The name of the resource identifier. - - name: user.email - type: keyword - description: The user's primary email address. - - name: user.nickname - type: keyword - description: The user's nickname. - - name: user.birthdate - type: date - description: The user's birth date. - - name: gateway.name - type: keyword - description: Gateway name. Present on some chat settings. - - name: chrome_os.session_type - type: keyword - description: Chrome OS session type. - - name: device.serial_number - type: keyword - description: Device serial number. - - name: device.id - type: keyword - - name: device.type - type: keyword - description: Device type. - - name: print_server.name - type: keyword - description: The name of the print server. - - name: printer.name - type: keyword - description: The name of the printer. - - name: device.command_details - type: keyword - description: Command details. - - name: role.id - type: keyword - description: Unique identifier for this role privilege. - - name: role.name - type: keyword - description: > - The role name. - For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings - - name: privilege.name - type: keyword - description: Privilege name. - - name: service.name - type: keyword - description: The service name. - - name: url.name - type: keyword - description: The website name. - - name: product.name - type: keyword - description: The product name. - - name: product.sku - type: keyword - description: The product SKU. - - name: bulk_upload.failed - type: long - description: Number of failed records in bulk upload operation. - - name: bulk_upload.total - type: long - description: Number of total records in bulk upload operation. - - name: group.allowed_list - type: keyword - description: Names of allow-listed groups. - - name: email.quarantine_name - type: keyword - description: The name of the quarantine. - - name: email.log_search_filter.message_id - type: keyword - description: The log search filter's email message ID. - - name: email.log_search_filter.start_date - type: date - description: The log search filter's start date. - - name: email.log_search_filter.end_date - type: date - description: The log search filter's ending date. - - name: email.log_search_filter.recipient.value - type: keyword - description: The log search filter's email recipient. - - name: email.log_search_filter.sender.value - type: keyword - description: The log search filter's email sender. - - name: email.log_search_filter.recipient.ip - type: ip - description: The log search filter's email recipient's IP address. - - name: email.log_search_filter.sender.ip - type: ip - description: The log search filter's email sender's IP address. - - name: chrome_licenses.enabled - type: keyword - description: > - Licences enabled. - For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings - - name: chrome_licenses.allowed - type: keyword - description: > - Licences enabled. - For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings - - name: oauth2.service.name - type: keyword - description: > - OAuth2 service name. - For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings - - name: oauth2.application.id - type: keyword - description: OAuth2 application ID. - - name: oauth2.application.name - type: keyword - description: OAuth2 application name. - - name: oauth2.application.type - type: keyword - description: > - OAuth2 application type. - For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings - - name: verification_method - type: keyword - description: > - Related verification method. - For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings and - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings - - name: alert.name - type: keyword - description: The alert name. - - name: rule.name - type: keyword - description: The rule name. - - name: api.client.name - type: keyword - description: The API client name. - - name: api.scopes - type: keyword - description: The API scopes. - - name: mdm.token - type: keyword - description: The MDM vendor enrollment token. - - name: mdm.vendor - type: keyword - description: The MDM vendor's name. - - name: info_type - type: keyword - description: > - This will be used to state what kind of information was changed. - For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings - - name: email_monitor.dest_email - type: keyword - description: The destination address of the email monitor. - - name: email_monitor.level.chat - type: keyword - description: The chat email monitor level. - - name: email_monitor.level.draft - type: keyword - description: The draft email monitor level. - - name: email_monitor.level.incoming - type: keyword - description: The incoming email monitor level. - - name: email_monitor.level.outgoing - type: keyword - description: The outgoing email monitor level. - - name: email_dump.include_deleted - type: boolean - description: Indicates if deleted emails are included in the export. - - name: email_dump.package_content - type: keyword - description: The contents of the mailbox package. - - name: email_dump.query - type: keyword - description: The search query used for the dump. - - name: request.id - type: keyword - description: The request ID. - - name: mobile.action.id - type: keyword - description: The mobile device action's ID. - - name: mobile.action.type - type: keyword - description: > - The mobile device action's type. - For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings - - name: mobile.certificate.name - type: keyword - description: The mobile certificate common name. - - name: mobile.company_owned_devices - type: long - description: The number of devices a company owns. - - name: distribution.entity.name - type: keyword - description: > - The distribution entity value, which can be a group name or an org-unit name. - For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings - - name: distribution.entity.type - type: keyword - description: > - The distribution entity type, which can be a group or an org-unit. - For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings diff --git a/x-pack/filebeat/module/gsuite/admin/config/config.yml b/x-pack/filebeat/module/gsuite/admin/config/config.yml deleted file mode 100644 index 409da0182e37..000000000000 --- a/x-pack/filebeat/module/gsuite/admin/config/config.yml +++ /dev/null @@ -1,54 +0,0 @@ -{{ if eq .input "httpjson" }} -type: httpjson - -url: https://www.googleapis.com/admin/reports/v1/activity/users/{{ .user_key }}/applications/admin -json_objects_array: items -split_events_by: events - -interval: {{ .interval }} - -{{ if .http_client_timeout }} -http_client_timeout: {{ .http_client_timeout }} -{{ end }} - -oauth2.provider: google -oauth2.google.jwt_file: {{ .jwt_file }} -oauth2.google.delegated_account: {{ .delegated_account }} -oauth2.scopes: - - https://www.googleapis.com/auth/admin.reports.audit.readonly - -date_cursor.url_field: startTime -date_cursor.initial_interval: {{ .initial_interval }} - -pagination.id_field: nextPageToken -pagination.url_field: pageToken - -{{ if .proxy_url }} -request.proxy_url: {{ .proxy_url }} -{{ end }} - -{{ else if eq .input "file" }} -type: log -paths: -{{ range $i, $path := .paths }} - - {{$path}} -{{ end }} -exclude_files: [".gz$"] -{{ end }} - -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} - -processors: - - add_fields: - target: '' - fields: - ecs.version: 1.11.0 - - script: - lang: javascript - id: gsuite-common - file: ${path.home}/module/gsuite/config/common.js - - script: - lang: javascript - id: gsuite-admin - file: ${path.home}/module/gsuite/admin/config/pipeline.js diff --git a/x-pack/filebeat/module/gsuite/admin/config/pipeline.js b/x-pack/filebeat/module/gsuite/admin/config/pipeline.js deleted file mode 100644 index 9fdaa12998e7..000000000000 --- a/x-pack/filebeat/module/gsuite/admin/config/pipeline.js +++ /dev/null @@ -1,967 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -var login = (function () { - var processor = require("processor"); - - var categorizeEvent = function(evt) { - // not convinced that these should be iam - evt.Put("event.category", ["iam"]); - switch (evt.Get("event.action")) { - case "CHANGE_APPLICATION_SETTING": - case "UPDATE_MANAGED_CONFIGURATION": - case "CHANGE_CALENDAR_SETTING": - case "CHANGE_CHAT_SETTING": - case "CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING": - case "GPLUS_PREMIUM_FEATURES": - case "UPDATE_CALENDAR_RESOURCE_FEATURE": - case "FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED": - case "MEET_INTEROP_MODIFY_GATEWAY": - case "CHANGE_CHROME_OS_APPLICATION_SETTING": - case "CHANGE_CHROME_OS_DEVICE_SETTING": - case "CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING": - case "CHANGE_CHROME_OS_SETTING": - case "CHANGE_CHROME_OS_USER_SETTING": - case "CHANGE_CONTACTS_SETTING": - case "CHANGE_DOCS_SETTING": - case "CHANGE_SITES_SETTING": - case "CHANGE_EMAIL_SETTING": - case "CHANGE_GMAIL_SETTING": - case "ALLOW_STRONG_AUTHENTICATION": - case "ALLOW_SERVICE_FOR_OAUTH2_ACCESS": - case "DISALLOW_SERVICE_FOR_OAUTH2_ACCESS": - case "CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID": - case "CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION": - case "CHANGE_TWO_STEP_VERIFICATION_FREQUENCY": - case "CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION": - case "CHANGE_TWO_STEP_VERIFICATION_START_DATE": - case "CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS": - case "CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES": - case "ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY": - case "ENFORCE_STRONG_AUTHENTICATION": - case "UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS": - case "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED": - case "SESSION_CONTROL_SETTINGS_CHANGE": - case "CHANGE_SESSION_LENGTH": - case "TOGGLE_OAUTH_ACCESS_TO_ALL_APIS": - case "TOGGLE_ALLOW_ADMIN_PASSWORD_RESET": - case "ENABLE_API_ACCESS": - case "CHANGE_WHITELIST_SETTING": - case "COMMUNICATION_PREFERENCES_SETTING_CHANGE": - case "ENABLE_FEEDBACK_SOLICITATION": - case "TOGGLE_CONTACT_SHARING": - case "TOGGLE_USE_CUSTOM_LOGO": - case "CHANGE_DATA_LOCALIZATION_SETTING": - case "TOGGLE_ENABLE_OAUTH_CONSUMER_KEY": - case "TOGGLE_SSO_ENABLED": - case "TOGGLE_SSL": - case "TOGGLE_NEW_APP_FEATURES": - case "TOGGLE_USE_NEXT_GEN_CONTROL_PANEL": - case "TOGGLE_OPEN_ID_ENABLED": - case "TOGGLE_OUTBOUND_RELAY": - case "CHANGE_SSO_SETTINGS": - case "ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS": - case "CHANGE_MOBILE_APPLICATION_SETTINGS": - case "CHANGE_MOBILE_SETTING": - evt.AppendTo("event.category", "configuration") - evt.Put("event.type", ["change"]); - break; - case "UPDATE_BUILDING": - case "RENAME_CALENDAR_RESOURCE": - case "UPDATE_CALENDAR_RESOURCE": - case "CANCEL_CALENDAR_EVENTS": - case "RELEASE_CALENDAR_RESOURCES": - case "CHANGE_DEVICE_STATE": - case "CHANGE_CHROME_OS_DEVICE_ANNOTATION": - case "CHANGE_CHROME_OS_DEVICE_STATE": - case "UPDATE_CHROME_OS_PRINT_SERVER": - case "UPDATE_CHROME_OS_PRINTER": - case "MOVE_DEVICE_TO_ORG_UNIT_DETAILED": - case "UPDATE_DEVICE": - case "SEND_CHROME_OS_DEVICE_COMMAND": - case "ASSIGN_ROLE": - case "ADD_PRIVILEGE": - case "REMOVE_PRIVILEGE": - case "RENAME_ROLE": - case "UPDATE_ROLE": - case "UNASSIGN_ROLE": - case "TRANSFER_DOCUMENT_OWNERSHIP": - case "ORG_USERS_LICENSE_ASSIGNMENT": - case "ORG_ALL_USERS_LICENSE_ASSIGNMENT": - case "USER_LICENSE_ASSIGNMENT": - case "CHANGE_LICENSE_AUTO_ASSIGN": - case "USER_LICENSE_REASSIGNMENT": - case "ORG_LICENSE_REVOKE": - case "USER_LICENSE_REVOKE": - case "UPDATE_DYNAMIC_LICENSE": - case "DROP_FROM_QUARANTINE": - case "REJECT_FROM_QUARANTINE": - case "RELEASE_FROM_QUARANTINE": - case "CHROME_LICENSES_ENABLED": - case "CHROME_APPLICATION_LICENSE_RESERVATION_UPDATED": - case "ASSIGN_CUSTOM_LOGO": - case "UNASSIGN_CUSTOM_LOGO": - case "REVOKE_ENROLLMENT_TOKEN": - case "CHROME_LICENSES_ALLOWED": - case "EDIT_ORG_UNIT_DESCRIPTION": - case "MOVE_ORG_UNIT": - case "EDIT_ORG_UNIT_NAME": - case "REVOKE_DEVICE_ENROLLMENT_TOKEN": - case "TOGGLE_SERVICE_ENABLED": - case "ADD_TO_TRUSTED_OAUTH2_APPS": - case "REMOVE_FROM_TRUSTED_OAUTH2_APPS": - case "BLOCK_ON_DEVICE_ACCESS": - case "TOGGLE_CAA_ENABLEMENT": - case "CHANGE_CAA_ERROR_MESSAGE": - case "CHANGE_CAA_APP_ASSIGNMENTS": - case "UNTRUST_DOMAIN_OWNED_OAUTH2_APPS": - case "TRUST_DOMAIN_OWNED_OAUTH2_APPS": - case "UNBLOCK_ON_DEVICE_ACCESS": - case "CHANGE_ACCOUNT_AUTO_RENEWAL": - case "ADD_APPLICATION": - case "ADD_APPLICATION_TO_WHITELIST": - case "CHANGE_ADVERTISEMENT_OPTION": - case "CHANGE_ALERT_CRITERIA": - case "ALERT_RECEIVERS_CHANGED": - case "RENAME_ALERT": - case "ALERT_STATUS_CHANGED": - case "ADD_DOMAIN_ALIAS": - case "REMOVE_DOMAIN_ALIAS": - case "AUTHORIZE_API_CLIENT_ACCESS": - case "REMOVE_API_CLIENT_ACCESS": - case "CHROME_LICENSES_REDEEMED": - case "TOGGLE_AUTO_ADD_NEW_SERVICE": - case "CHANGE_PRIMARY_DOMAIN": - case "CHANGE_CONFLICT_ACCOUNT_ACTION": - case "CHANGE_CUSTOM_LOGO": - case "CHANGE_DATA_LOCALIZATION_FOR_RUSSIA": - case "CHANGE_DATA_PROTECTION_OFFICER_CONTACT_INFO": - case "CHANGE_DOMAIN_DEFAULT_LOCALE": - case "CHANGE_DOMAIN_DEFAULT_TIMEZONE": - case "CHANGE_DOMAIN_NAME": - case "TOGGLE_ENABLE_PRE_RELEASE_FEATURES": - case "CHANGE_DOMAIN_SUPPORT_MESSAGE": - case "ADD_TRUSTED_DOMAINS": - case "REMOVE_TRUSTED_DOMAINS": - case "CHANGE_EDU_TYPE": - case "CHANGE_EU_REPRESENTATIVE_CONTACT_INFO": - case "CHANGE_LOGIN_BACKGROUND_COLOR": - case "CHANGE_LOGIN_BORDER_COLOR": - case "CHANGE_LOGIN_ACTIVITY_TRACE": - case "PLAY_FOR_WORK_ENROLL": - case "PLAY_FOR_WORK_UNENROLL": - case "UPDATE_DOMAIN_PRIMARY_ADMIN_EMAIL": - case "CHANGE_ORGANIZATION_NAME": - case "CHANGE_PASSWORD_MAX_LENGTH": - case "CHANGE_PASSWORD_MIN_LENGTH": - case "REMOVE_APPLICATION": - case "REMOVE_APPLICATION_FROM_WHITELIST": - case "CHANGE_RENEW_DOMAIN_REGISTRATION": - case "CHANGE_RESELLER_ACCESS": - case "RULE_ACTIONS_CHANGED": - case "CHANGE_RULE_CRITERIA": - case "RENAME_RULE": - case "RULE_STATUS_CHANGED": - case "ADD_SECONDARY_DOMAIN": - case "REMOVE_SECONDARY_DOMAIN": - case "UPDATE_DOMAIN_SECONDARY_EMAIL": - case "UPDATE_RULE": - case "ADD_MOBILE_CERTIFICATE": - case "COMPANY_OWNED_DEVICE_BLOCKED": - case "COMPANY_OWNED_DEVICE_UNBLOCKED": - case "COMPANY_OWNED_DEVICE_WIPED": - case "CHANGE_MOBILE_APPLICATION_PERMISSION_GRANT": - case "CHANGE_MOBILE_APPLICATION_PRIORITY_ORDER": - case "REMOVE_MOBILE_APPLICATION_FROM_WHITELIST": - case "ADD_MOBILE_APPLICATION_TO_WHITELIST": - case "CHANGE_ADMIN_RESTRICTIONS_PIN": - case "CHANGE_MOBILE_WIRELESS_NETWORK": - case "ADD_MOBILE_WIRELESS_NETWORK": - case "REMOVE_MOBILE_WIRELESS_NETWORK": - case "CHANGE_MOBILE_WIRELESS_NETWORK_PASSWORD": - case "REMOVE_MOBILE_CERTIFICATE": - evt.Put("event.type", ["change"]); - break; - case "CREATE_APPLICATION_SETTING": - case "CREATE_GMAIL_SETTING": - evt.AppendTo("event.category", "configuration") - evt.Put("event.type", ["creation"]); - break; - case "CREATE_MANAGED_CONFIGURATION": - case "CREATE_BUILDING": - case "CREATE_CALENDAR_RESOURCE": - case "CREATE_CALENDAR_RESOURCE_FEATURE": - case "MEET_INTEROP_CREATE_GATEWAY": - case "INSERT_CHROME_OS_PRINT_SERVER": - case "INSERT_CHROME_OS_PRINTER": - case "CREATE_ROLE": - case "ADD_WEB_ADDRESS": - case "EMAIL_UNDELETE": - case "CHROME_APPLICATION_LICENSE_RESERVATION_CREATED": - case "CREATE_DEVICE_ENROLLMENT_TOKEN": - case "CREATE_ENROLLMENT_TOKEN": - case "CREATE_ORG_UNIT": - case "CREATE_ALERT": - case "CREATE_PLAY_FOR_WORK_TOKEN": - case "GENERATE_TRANSFER_TOKEN": - case "REGENERATE_OAUTH_CONSUMER_SECRET": - case "CREATE_RULE": - case "GENERATE_PIN": - case "COMPANY_DEVICES_BULK_CREATION": - evt.Put("event.type", ["creation"]); - break; - case "DELETE_APPLICATION_SETTING": - case "DELETE_GMAIL_SETTING": - evt.AppendTo("event.category", "configuration") - evt.Put("event.type", ["deletion"]); - break; - case "DELETE_MANAGED_CONFIGURATION": - case "DELETE_BUILDING": - case "DELETE_CALENDAR_RESOURCE": - case "DELETE_CALENDAR_RESOURCE_FEATURE": - case "MEET_INTEROP_DELETE_GATEWAY": - case "DELETE_CHROME_OS_PRINT_SERVER": - case "DELETE_CHROME_OS_PRINTER": - case "REMOVE_CHROME_OS_APPLICATION_SETTINGS": - case "DELETE_ROLE": - case "DELETE_WEB_ADDRESS": - case "CHROME_APPLICATION_LICENSE_RESERVATION_DELETED": - case "REMOVE_ORG_UNIT": - case "DELETE_ALERT": - case "DELETE_PLAY_FOR_WORK_TOKEN": - case "DELETE_RULE": - case "COMPANY_DEVICE_DELETION": - evt.Put("event.type", ["deletion"]); - break; - case "DELETE_GROUP": - evt.Put("event.type", ["group", "creation"]); - break; - case "CREATE_GROUP": - evt.Put("event.type", ["group", "creation"]); - break; - case "REORDER_GROUP_BASED_POLICIES_EVENT": - case "CHANGE_GROUP_DESCRIPTION": - case "ADD_GROUP_MEMBER": - case "REMOVE_GROUP_MEMBER": - case "UPDATE_GROUP_MEMBER": - case "UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS": - case "UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE": - case "CHANGE_GROUP_NAME": - case "CHANGE_GROUP_SETTING": - case "GROUP_MEMBER_BULK_UPLOAD": - case "WHITELISTED_GROUPS_UPDATED": - evt.Put("event.type", ["group", "change"]); - break; - case "REVOKE_3LO_DEVICE_TOKENS": - case "REVOKE_3LO_TOKEN": - case "ADD_RECOVERY_EMAIL": - case "ADD_RECOVERY_PHONE": - case "GRANT_ADMIN_PRIVILEGE": - case "REVOKE_ADMIN_PRIVILEGE": - case "REVOKE_ASP": - case "TOGGLE_AUTOMATIC_CONTACT_SHARING": - case "CANCEL_USER_INVITE": - case "CHANGE_USER_CUSTOM_FIELD": - case "CHANGE_USER_EXTERNAL_ID": - case "CHANGE_USER_GENDER": - case "CHANGE_USER_IM": - case "ENABLE_USER_IP_WHITELIST": - case "CHANGE_USER_KEYWORD": - case "CHANGE_USER_LANGUAGE": - case "CHANGE_USER_LOCATION": - case "CHANGE_USER_ORGANIZATION": - case "CHANGE_USER_PHONE_NUMBER": - case "CHANGE_RECOVERY_EMAIL": - case "CHANGE_RECOVERY_PHONE": - case "CHANGE_USER_RELATION": - case "CHANGE_USER_ADDRESS": - case "GRANT_DELEGATED_ADMIN_PRIVILEGES": - case "CHANGE_FIRST_NAME": - case "GMAIL_RESET_USER": - case "CHANGE_LAST_NAME": - case "MAIL_ROUTING_DESTINATION_ADDED": - case "MAIL_ROUTING_DESTINATION_REMOVED": - case "ADD_NICKNAME": - case "REMOVE_NICKNAME": - case "CHANGE_PASSWORD": - case "CHANGE_PASSWORD_ON_NEXT_LOGIN": - case "REMOVE_RECOVERY_EMAIL": - case "REMOVE_RECOVERY_PHONE": - case "RESET_SIGNIN_COOKIES": - case "SECURITY_KEY_REGISTERED_FOR_USER": - case "REVOKE_SECURITY_KEY": - case "TURN_OFF_2_STEP_VERIFICATION": - case "UNBLOCK_USER_SESSION": - case "UNENROLL_USER_FROM_TITANIUM": - case "ARCHIVE_USER": - case "UPDATE_BIRTHDATE": - case "DOWNGRADE_USER_FROM_GPLUS": - case "USER_ENROLLED_IN_TWO_STEP_VERIFICATION": - case "MOVE_USER_TO_ORG_UNIT": - case "USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD": - case "RENAME_USER": - case "UNENROLL_USER_FROM_STRONG_AUTH": - case "SUSPEND_USER": - case "UNARCHIVE_USER": - case "UNSUSPEND_USER": - case "UPGRADE_USER_TO_GPLUS": - case "MOBILE_DEVICE_APPROVE": - case "MOBILE_DEVICE_BLOCK": - case "MOBILE_DEVICE_WIPE": - case "MOBILE_ACCOUNT_WIPE": - case "MOBILE_DEVICE_CANCEL_WIPE_THEN_APPROVE": - case "MOBILE_DEVICE_CANCEL_WIPE_THEN_BLOCK": - evt.Put("event.type", ["user", "change"]); - break; - case "DELETE_2SV_SCRATCH_CODES": - case "DELETE_ACCOUNT_INFO_DUMP": - case "DELETE_EMAIL_MONITOR": - case "DELETE_MAILBOX_DUMP": - case "DELETE_USER": - case "MOBILE_DEVICE_DELETE": - evt.Put("event.type", ["user", "deletion"]); - break; - case "GENERATE_2SV_SCRATCH_CODES": - case "CREATE_EMAIL_MONITOR": - case "CREATE_DATA_TRANSFER_REQUEST": - case "CREATE_USER": - case "UNDELETE_USER": - evt.Put("event.type", ["user", "creation"]); - break; - case "ISSUE_DEVICE_COMMAND": - case "DRIVE_DATA_RESTORE": - case "VIEW_SITE_DETAILS": - case "EMAIL_LOG_SEARCH": - case "SKIP_DOMAIN_ALIAS_MX": - case "VERIFY_DOMAIN_ALIAS_MX": - case "VERIFY_DOMAIN_ALIAS": - case "VIEW_DNS_LOGIN_DETAILS": - case "MX_RECORD_VERIFICATION_CLAIM": - case "UPLOAD_OAUTH_CERTIFICATE": - case "SKIP_SECONDARY_DOMAIN_MX": - case "VERIFY_SECONDARY_DOMAIN_MX": - case "VERIFY_SECONDARY_DOMAIN": - case "BULK_UPLOAD": - case "DOWNLOAD_PENDING_INVITES_LIST": - case "DOWNLOAD_USERLIST_CSV": - case "USERS_BULK_UPLOAD": - case "ENROLL_FOR_GOOGLE_DEVICE_MANAGEMENT": - case "USE_GOOGLE_MOBILE_MANAGEMENT": - case "USE_GOOGLE_MOBILE_MANAGEMENT_FOR_NON_IOS": - case "USE_GOOGLE_MOBILE_MANAGEMENT_FOR_IOS": - evt.Put("event.type", ["info"]); - break; - case "GROUP_LIST_DOWNLOAD": - case "GROUP_MEMBERS_DOWNLOAD": - evt.Put("event.type", ["group", "info"]); - break; - case "REQUEST_ACCOUNT_INFO": - case "REQUEST_MAILBOX_DUMP": - case "RESEND_USER_INVITE": - case "BULK_UPLOAD_NOTIFICATION_SENT": - case "USER_INVITE": - case "VIEW_TEMP_PASSWORD": - case "USERS_BULK_UPLOAD_NOTIFICATION_SENT": - case "ACTION_CANCELLED": - case "ACTION_REQUESTED": - evt.Put("event.type", ["user", "info"]); - break; - } - }; - - var getParamValue = function(param) { - if (param.value) { - return param.value; - } - if (param.multiValue) { - return param.multiValue; - } - if (param.intValue !== null) { - return param.intValue; - } - }; - - var flattenParams = function(evt) { - var params = evt.Get("json.events.parameters"); - if (!params || !Array.isArray(params)) { - return; - } - - params.forEach(function(p){ - evt.Put("gsuite.admin."+p.name, getParamValue(p)); - }); - - evt.Delete("json.events.parameters"); - }; - - var setGroupInfo = function(evt) { - var email = evt.Get("gsuite.admin.group.email"); - if (!email) { - return; - } - - var data = email.split("@"); - if (data.length !== 2) { - return; - } - - evt.Put("group.name", data[0]); - evt.Put("group.domain", data[1]); - }; - - var setRelatedUserInfo = function(evt) { - var email = evt.Get("gsuite.admin.user.email"); - if (!email) { - return; - } - - var data = email.split("@"); - if (data.length !== 2) { - return; - } - - evt.AppendTo("related.user", data[0]); - evt.Put("user.target.name", data[0]); - evt.Put("user.target.domain", data[1]); - evt.Put("user.target.email", email); - var groupName = evt.Get("group.name"); - if (groupName) { - evt.Put("user.target.group.name", groupName); - } - var groupDomain = evt.Get("group.domain"); - if (groupDomain) { - evt.Put("user.target.group.domain", groupDomain); - } - }; - - var setEventDuration = function(evt) { - var start = evt.Get("event.start"); - var end = evt.Get("event.end"); - if (!start || !end) { - return; - } - - evt.Put("event.duration", end.UnixNano() - start.UnixNano()); - }; - - var setEventOutcome = function(evt) { - var failed = evt.Get("gsuite.admin.group.bulk_upload.failed"); - if (failed === null) { - return; - } - - if (failed === 0) { - evt.Put("event.outcome", "success"); - } else { - evt.Put("event.outcome", "failure"); - } - }; - - var setGroupAllowedlist = function(evt) { - var allowedList = evt.Get("gsuite.admin.WHITELISTED_GROUPS"); - if (!allowedList) { - return; - } - - evt.Put("gsuite.admin.group.allowed_list", allowedList.split(",")); - evt.Delete("gsuite.admin.WHITELISTED_GROUPS"); - }; - - var deleteField = function(field) { - return function(evt) { - evt.Delete(field); - }; - }; - - var parseDate = function(field, targetField) { - return new processor.Chain() - .Add(new processor.Timestamp({ - field: field, - target_field: targetField, - timezone: "UTC", - layouts: [ - "2006-01-02T15:04:05Z", - "2006-01-02T15:04:05.999Z", - "2006/01/02 15:04:05 UTC", - ], - tests: [ - "2020-02-05T18:19:23Z", - "2020-02-05T18:19:23.599Z", - "2020/07/28 04:59:59 UTC", - ], - ignore_missing: true, - })) - .Add(deleteField(field)) - .Build() - }; - - var pipeline = new processor.Chain() - .Add(categorizeEvent) - .Add(flattenParams) - .Convert({ - fields: [ - { - from: "gsuite.admin.APPLICATION_EDITION", - to: "gsuite.admin.application.edition", - }, - { - from: "gsuite.admin.APPLICATION_NAME", - to: "gsuite.admin.application.name", - }, - { - from: "gsuite.admin.APPLICATION_ENABLED", - to: "gsuite.admin.application.enabled", - }, - { - from: "gsuite.admin.APP_LICENSES_ORDER_NUMBER", - to: "gsuite.admin.application.licences_order_number", - }, - { - from: "gsuite.admin.CHROME_NUM_LICENSES_PURCHASED", - to: "gsuite.admin.application.licences_purchased", - type: "long", - }, - { - from: "gsuite.admin.REAUTH_APPLICATION", - to: "gsuite.admin.application.name", - }, - { - from: "gsuite.admin.GROUP_EMAIL", - to: "gsuite.admin.group.email", - }, - { - from: "gsuite.admin.GROUP_NAME", - to: "group.name", - }, - { - from: "gsuite.admin.NEW_VALUE", - to: "gsuite.admin.new_value", - }, - { - from: "gsuite.admin.OLD_VALUE", - to: "gsuite.admin.old_value", - }, - { - from: "gsuite.admin.ORG_UNIT_NAME", - to: "gsuite.admin.org_unit.name", - }, - { - from: "gsuite.admin.SETTING_NAME", - to: "gsuite.admin.setting.name", - }, - { - from: "gsuite.admin.SETTING_DESCRIPTION", - to: "gsuite.admin.setting.description", - }, - { - from: "gsuite.admin.USER_DEFINED_SETTING_NAME", - to: "gsuite.admin.user_defined_setting.name", - }, - { - from: "gsuite.admin.GROUP_PRIORITIES", - to: "gsuite.admin.group.priorities", - }, - { - from: "gsuite.admin.DOMAIN_NAME", - to: "gsuite.admin.domain.name", - }, - { - from: "gsuite.admin.DOMAIN_ALIAS", - to: "gsuite.admin.domain.alias", - }, - { - from: "gsuite.admin.SECONDARY_DOMAIN_NAME", - to: "gsuite.admin.domain.secondary_name", - }, - { - from: "gsuite.admin.MANAGED_CONFIGURATION_NAME", - to: "gsuite.admin.managed_configuration", - }, - { - from: "gsuite.admin.MOBILE_APP_PACKAGE_ID", - to: "gsuite.admin.application.package_id", - }, - { - from: "gsuite.admin.FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTION", - to: "gsuite.admin.non_featured_services_selection", - }, - { - from: "gsuite.admin.FIELD_NAME", - to: "gsuite.admin.field", - }, - { - from: "gsuite.admin.RESOURCE_IDENTIFIER", - to: "gsuite.admin.resource.id", - }, - { - from: "gsuite.admin.USER_EMAIL", - to: "gsuite.admin.user.email", - }, - { - from: "gsuite.admin.GATEWAY_NAME", - to: "gsuite.admin.gateway.name", - }, - { - from: "gsuite.admin.APP_ID", - to: "gsuite.admin.application.id", - }, - { - from: "gsuite.admin.ASP_ID", - to: "gsuite.admin.application.asp_id", - }, - { - from: "gsuite.admin.CHROME_OS_SESSION_TYPE", - to: "gsuite.admin.chrome_os.session_type", - }, - { - from: "gsuite.admin.DEVICE_NEW_STATE", - to: "gsuite.admin.new_value", - }, - { - from: "gsuite.admin.DEVICE_PREVIOUS_STATE", - to: "gsuite.admin.old_value", - }, - { - from: "gsuite.admin.DEVICE_SERIAL_NUMBER", - to: "gsuite.admin.device.serial_number", - }, - { - from: "gsuite.admin.DEVICE_ID", - to: "gsuite.admin.device.id", - }, - { - from: "gsuite.admin.DEVICE_TYPE", - to: "gsuite.admin.device.type", - }, - { - from: "gsuite.admin.PRINT_SERVER_NAME", - to: "gsuite.admin.print_server.name", - }, - { - from: "gsuite.admin.PRINTER_NAME", - to: "gsuite.admin.printer.name", - }, - { - from: "gsuite.admin.DEVICE_COMMAND_DETAILS", - to: "gsuite.admin.device.command_details", - }, - { - from: "gsuite.admin.DEVICE_NEW_ORG_UNIT", - to: "gsuite.admin.new_value", - }, - { - from: "gsuite.admin.DEVICE_PREVIOUS_ORG_UNIT", - to: "gsuite.admin.old_value", - }, - { - from: "gsuite.admin.ROLE_NAME", - to: "gsuite.admin.role.name", - }, - { - from: "gsuite.admin.ROLE_ID", - to: "gsuite.admin.role.id", - }, - { - from: "gsuite.admin.PRIVILEGE_NAME", - to: "gsuite.admin.privilege.name", - }, - { - from: "gsuite.admin.SITE_LOCATION", - to: "url.path", - }, - { - from: "gsuite.admin.WEB_ADDRESS", - to: "url.full", - }, - { - from: "gsuite.admin.SITE_NAME", - to: "gsuite.admin.url.name", - }, - { - from: "gsuite.admin.SERVICE_NAME", - to: "gsuite.admin.service.name", - }, - { - from: "gsuite.admin.PRODUCT_NAME", - to: "gsuite.admin.product.name", - }, - { - from: "gsuite.admin.SKU_NAME", - to: "gsuite.admin.product.sku", - }, - { - from: "gsuite.admin.GROUP_MEMBER_BULK_UPLOAD_FAILED_NUMBER", - to: "gsuite.admin.bulk_upload.failed", - type: "long", - }, - { - from: "gsuite.admin.GROUP_MEMBER_BULK_UPLOAD_TOTAL_NUMBER", - to: "gsuite.admin.bulk_upload.total", - type: "long", - }, - { - from: "gsuite.admin.BULK_UPLOAD_FAIL_USERS_NUMBER", - to: "gsuite.admin.bulk_upload.failed", - type: "long", - }, - { - from: "gsuite.admin.BULK_UPLOAD_TOTAL_USERS_NUMBER", - to: "gsuite.admin.bulk_upload.total", - type: "long", - }, - { - from: "gsuite.admin.EMAIL_LOG_SEARCH_MSG_ID", - to: "gsuite.admin.email.log_search_filter.message_id", - }, - { - from: "gsuite.admin.EMAIL_LOG_SEARCH_RECIPIENT", - to: "gsuite.admin.email.log_search_filter.recipient.value", - }, - { - from: "gsuite.admin.EMAIL_LOG_SEARCH_SENDER", - to: "gsuite.admin.email.log_search_filter.sender.value", - }, - { - from: "gsuite.admin.EMAIL_LOG_SEARCH_SMTP_RECIPIENT_IP", - to: "gsuite.admin.email.log_search_filter.recipient.ip", - type: "ip", - }, - { - from: "gsuite.admin.EMAIL_LOG_SEARCH_SMTP_SENDER_IP", - to: "gsuite.admin.email.log_search_filter.sender.ip", - type: "ip", - }, - { - from: "gsuite.admin.QUARANTINE_NAME", - to: "gsuite.admin.email.quarantine_name", - }, - { - from: "gsuite.admin.CHROME_LICENSES_ENABLED", - to: "gsuite.admin.chrome_licenses.enabled", - }, - { - from: "gsuite.admin.CHROME_LICENSES_ALLOWED", - to: "gsuite.admin.chrome_licenses.allowed", - }, - { - from: "gsuite.admin.FULL_ORG_UNIT_PATH", - to: "gsuite.admin.org_unit.full", - }, - { - from: "gsuite.admin.OAUTH2_SERVICE_NAME", - to: "gsuite.admin.oauth2.service.name", - }, - { - from: "gsuite.admin.OAUTH2_APP_ID", - to: "gsuite.admin.oauth2.application.id", - }, - { - from: "gsuite.admin.OAUTH2_APP_NAME", - to: "gsuite.admin.oauth2.application.name", - }, - { - from: "gsuite.admin.OAUTH2_APP_TYPE", - to: "gsuite.admin.oauth2.application.type", - }, - { - from: "gsuite.admin.ALLOWED_TWO_STEP_VERIFICATION_METHOD", - to: "gsuite.admin.verification_method", - }, - { - from: "gsuite.admin.DOMAIN_VERIFICATION_METHOD", - to: "gsuite.admin.verification_method", - }, - { - from: "gsuite.admin.CAA_ASSIGNMENTS_NEW", - to: "gsuite.admin.new_value", - }, - { - from: "gsuite.admin.CAA_ASSIGNMENTS_OLD", - to: "gsuite.admin.old_value", - }, - { - from: "gsuite.admin.REAUTH_SETTING_NEW", - to: "gsuite.admin.new_value", - }, - { - from: "gsuite.admin.REAUTH_SETTING_OLD", - to: "gsuite.admin.old_value", - }, - { - from: "gsuite.admin.ALERT_NAME", - to: "gsuite.admin.alert.name", - }, - { - from: "gsuite.admin.API_CLIENT_NAME", - to: "gsuite.admin.api.client.name", - }, - { - from: "gsuite.admin.API_SCOPES", - to: "gsuite.admin.api.scopes", - }, - { - from: "gsuite.admin.PLAY_FOR_WORK_TOKEN_ID", - to: "gsuite.admin.mdm.token", - }, - { - from: "gsuite.admin.PLAY_FOR_WORK_MDM_VENDOR_NAME", - to: "gsuite.admin.mdm.vendor", - }, - { - from: "gsuite.admin.INFO_TYPE", - to: "gsuite.admin.info_type", - }, - { - from: "gsuite.admin.RULE_NAME", - to: "gsuite.admin.rule.name", - }, - { - from: "gsuite.admin.USER_CUSTOM_FIELD", - to: "gsuite.admin.setting.name", - }, - { - from: "gsuite.admin.EMAIL_MONITOR_DEST_EMAIL", - to: "gsuite.admin.email_monitor.dest_email", - }, - { - from: "gsuite.admin.EMAIL_MONITOR_LEVEL_CHAT", - to: "gsuite.admin.email_monitor.level.chat", - }, - { - from: "gsuite.admin.EMAIL_MONITOR_LEVEL_DRAFT_EMAIL", - to: "gsuite.admin.email_monitor.level.draft", - }, - { - from: "gsuite.admin.EMAIL_MONITOR_LEVEL_INCOMING_EMAIL", - to: "gsuite.admin.email_monitor.level.incoming", - }, - { - from: "gsuite.admin.EMAIL_MONITOR_LEVEL_OUTGOING_EMAIL", - to: "gsuite.admin.email_monitor.level.outgoing", - }, - { - from: "gsuite.admin.EMAIL_EXPORT_INCLUDE_DELETED", - to: "gsuite.admin.email_dump.include_deleted", - }, - { - from: "gsuite.admin.EMAIL_EXPORT_PACKAGE_CONTENT", - to: "gsuite.admin.email_dump.package_content", - }, - { - from: "gsuite.admin.SEARCH_QUERY_FOR_DUMP", - to: "gsuite.admin.email_dump.query", - }, - { - from: "gsuite.admin.DESTINATION_USER_EMAIL", - to: "gsuite.admin.new_value", - }, - { - from: "gsuite.admin.REQUEST_ID", - to: "gsuite.admin.request.id", - }, - { - from: "gsuite.admin.GMAIL_RESET_REASON", - to: "message", - }, - { - from: "gsuite.admin.USER_NICKNAME", - to: "gsuite.admin.user.nickname", - }, - { - from: "gsuite.admin.ACTION_ID", - to: "gsuite.admin.mobile.action.id", - }, - { - from: "gsuite.admin.ACTION_TYPE", - to: "gsuite.admin.mobile.action.type", - }, - { - from: "gsuite.admin.MOBILE_CERTIFICATE_COMMON_NAME", - to: "gsuite.admin.mobile.certificate.name", - }, - { - from: "gsuite.admin.NUMBER_OF_COMPANY_OWNED_DEVICES", - to: "gsuite.admin.mobile.company_owned_devices", - type: "long", - }, - { - from: "gsuite.admin.COMPANY_DEVICE_ID", - to: "gsuite.admin.device.id", - }, - { - from: "gsuite.admin.DISTRIBUTION_ENTITY_NAME", - to: "gsuite.admin.distribution.entity.name", - }, - { - from: "gsuite.admin.DISTRIBUTION_ENTITY_TYPE", - to: "gsuite.admin.distribution.entity.type", - }, - { - from: "gsuite.admin.MOBILE_APP_PACKAGE_ID", - to: "gsuite.admin.application.package_id", - }, - { - from: "gsuite.admin.NEW_PERMISSION_GRANT_STATE", - to: "gsuite.admin.new_value", - }, - { - from: "gsuite.admin.OLD_PERMISSION_GRANT_STATE", - to: "gsuite.admin.old_value", - }, - { - from: "gsuite.admin.PERMISSION_GROUP_NAME", - to: "gsuite.admin.setting.name", - }, - { - from: "gsuite.admin.MOBILE_WIRELESS_NETWORK_NAME", - to: "network.name", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(parseDate( - "gsuite.admin.EMAIL_LOG_SEARCH_END_DATE", - "gsuite.admin.email.log_search_filter.end_date" - )) - .Add(parseDate( - "gsuite.admin.EMAIL_LOG_SEARCH_START_DATE", - "gsuite.admin.email.log_search_filter.start_date" - )) - .Add(parseDate( - "gsuite.admin.BIRTHDATE", - "gsuite.admin.user.birthdate" - )) - .Add(parseDate( - "gsuite.admin.BEGIN_DATE_TIME", - "event.start" - )) - .Add(parseDate( - "gsuite.admin.START_DATE", - "event.start" - )) - .Add(parseDate( - "gsuite.admin.END_DATE", - "event.end" - )) - .Add(parseDate( - "gsuite.admin.END_DATE_TIME", - "event.end" - )) - .Add(setGroupInfo) - .Add(setRelatedUserInfo) - .Add(setEventDuration) - .Add(setEventOutcome) - .Add(setGroupAllowedlist) - .Build(); - - return { - process: pipeline.Run, - }; -}()); - -function process(evt) { - return login.process(evt); -} diff --git a/x-pack/filebeat/module/gsuite/admin/manifest.yml b/x-pack/filebeat/module/gsuite/admin/manifest.yml deleted file mode 100644 index c5992776ac07..000000000000 --- a/x-pack/filebeat/module/gsuite/admin/manifest.yml +++ /dev/null @@ -1,25 +0,0 @@ -module_version: 1.0 - -var: - - name: input - default: httpjson - - name: jwt_file - - name: delegated_account - - name: initial_interval - default: 24h - - name: http_client_timeout - default: 60s - - name: user_key - default: all - - name: interval - default: 2h - - name: tags - default: [forwarded] - - name: proxy_url - -input: config/config.yml -ingest_pipeline: ../ingest/common.yml - -requires.processors: -- name: geoip - plugin: ingest-geoip diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log deleted file mode 100644 index 2d2d36e96a30..000000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log +++ /dev/null @@ -1,9 +0,0 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"CHANGE_APPLICATION_SETTING","parameters":[{"name":"APPLICATION_EDITION","value":"basic"},{"name":"APPLICATION_NAME","value":"drive"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"CREATE_APPLICATION_SETTING","parameters":[{"name":"APPLICATION_EDITION","value":"basic"},{"name":"APPLICATION_NAME","value":"drive"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"DELETE_APPLICATION_SETTING","parameters":[{"name":"APPLICATION_EDITION","value":"basic"},{"name":"APPLICATION_NAME","value":"drive"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"REORDER_GROUP_BASED_POLICIES_EVENT","parameters":[{"name":"APPLICATION_NAME","value":"drive"},{"name":"GROUP_PRIORITIES","multiValue":["a","b"]},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"GPLUS_PREMIUM_FEATURES","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"CREATE_MANAGED_CONFIGURATION","parameters":[{"name":"MANAGED_CONFIGURATION_NAME","value":"a"},{"name":"MOBILE_APP_PACKAGE_ID","value":"1234"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"DELETE_MANAGED_CONFIGURATION","parameters":[{"name":"MANAGED_CONFIGURATION_NAME","value":"a"},{"name":"MOBILE_APP_PACKAGE_ID","value":"1234"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"UPDATE_MANAGED_CONFIGURATION","parameters":[{"name":"MANAGED_CONFIGURATION_NAME","value":"a"},{"name":"MOBILE_APP_PACKAGE_ID","value":"1234"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED","parameters":[{"name":"FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTION","value":"FLASHLIGHT_EDU_SELECTION_MANUAL"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log-expected.json deleted file mode 100644 index ab7e42ab458b..000000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log-expected.json +++ /dev/null @@ -1,499 +0,0 @@ -[ - { - "event.action": "CHANGE_APPLICATION_SETTING", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"CHANGE_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APPLICATION_EDITION\",\"value\":\"basic\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.application.edition": "basic", - "gsuite.admin.application.name": "drive", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "APPLICATION_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 0, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CREATE_APPLICATION_SETTING", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"CREATE_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APPLICATION_EDITION\",\"value\":\"basic\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "creation" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.application.edition": "basic", - "gsuite.admin.application.name": "drive", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "APPLICATION_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 641, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "DELETE_APPLICATION_SETTING", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"DELETE_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APPLICATION_EDITION\",\"value\":\"basic\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "deletion" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.application.edition": "basic", - "gsuite.admin.application.name": "drive", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "APPLICATION_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1247, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "REORDER_GROUP_BASED_POLICIES_EVENT", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"REORDER_GROUP_BASED_POLICIES_EVENT\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_PRIORITIES\",\"multiValue\":[\"a\",\"b\"]},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "group" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.application.name": "drive", - "gsuite.admin.group.priorities": [ - "a", - "b" - ], - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "APPLICATION_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1853, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "GPLUS_PREMIUM_FEATURES", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"GPLUS_PREMIUM_FEATURES\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.event.type": "APPLICATION_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2346, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CREATE_MANAGED_CONFIGURATION", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"CREATE_MANAGED_CONFIGURATION\",\"parameters\":[{\"name\":\"MANAGED_CONFIGURATION_NAME\",\"value\":\"a\"},{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"1234\"}]}}", - "event.provider": "admin", - "event.type": [ - "creation" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.application.package_id": "1234", - "gsuite.admin.managed_configuration": "a", - "gsuite.event.type": "APPLICATION_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2770, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "DELETE_MANAGED_CONFIGURATION", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"DELETE_MANAGED_CONFIGURATION\",\"parameters\":[{\"name\":\"MANAGED_CONFIGURATION_NAME\",\"value\":\"a\"},{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"1234\"}]}}", - "event.provider": "admin", - "event.type": [ - "deletion" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.application.package_id": "1234", - "gsuite.admin.managed_configuration": "a", - "gsuite.event.type": "APPLICATION_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 3218, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "UPDATE_MANAGED_CONFIGURATION", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"UPDATE_MANAGED_CONFIGURATION\",\"parameters\":[{\"name\":\"MANAGED_CONFIGURATION_NAME\",\"value\":\"a\"},{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"1234\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.application.package_id": "1234", - "gsuite.admin.managed_configuration": "a", - "gsuite.event.type": "APPLICATION_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 3666, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED\",\"parameters\":[{\"name\":\"FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTION\",\"value\":\"FLASHLIGHT_EDU_SELECTION_MANUAL\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.non_featured_services_selection": "FLASHLIGHT_EDU_SELECTION_MANUAL", - "gsuite.event.type": "APPLICATION_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 4114, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log deleted file mode 100644 index bcbed9ee8866..000000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log +++ /dev/null @@ -1,13 +0,0 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"CREATE_BUILDING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"DELETE_BUILDING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"UPDATE_BUILDING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"FIELD_NAME","value":"field"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"RESOURCE_IDENTIFIER","value":"1234"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"CREATE_CALENDAR_RESOURCE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"DELETE_CALENDAR_RESOURCE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"CREATE_CALENDAR_RESOURCE_FEATURE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"DELETE_CALENDAR_RESOURCE_FEATURE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"UPDATE_CALENDAR_RESOURCE_FEATURE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"FIELD_NAME","value":"field"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"RESOURCE_IDENTIFIER","value":"1234"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"RENAME_CALENDAR_RESOURCE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"UPDATE_CALENDAR_RESOURCE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"FIELD_NAME","value":"field"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"RESOURCE_IDENTIFIER","value":"1234"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"CHANGE_CALENDAR_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"CANCEL_CALENDAR_EVENTS","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"RELEASE_CALENDAR_RESOURCES","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log-expected.json deleted file mode 100644 index 3772a9892a44..000000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log-expected.json +++ /dev/null @@ -1,702 +0,0 @@ -[ - { - "event.action": "CREATE_BUILDING", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CREATE_BUILDING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", - "event.provider": "admin", - "event.type": [ - "creation" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.event.type": "CALENDAR_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 0, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "DELETE_BUILDING", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"DELETE_BUILDING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "deletion" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "CALENDAR_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 414, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "UPDATE_BUILDING", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"UPDATE_BUILDING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"FIELD_NAME\",\"value\":\"field\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"RESOURCE_IDENTIFIER\",\"value\":\"1234\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.field": "field", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.resource.id": "1234", - "gsuite.event.type": "CALENDAR_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 828, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CREATE_CALENDAR_RESOURCE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CREATE_CALENDAR_RESOURCE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", - "event.provider": "admin", - "event.type": [ - "creation" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.event.type": "CALENDAR_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1361, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "DELETE_CALENDAR_RESOURCE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"DELETE_CALENDAR_RESOURCE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "deletion" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "CALENDAR_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1784, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CREATE_CALENDAR_RESOURCE_FEATURE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CREATE_CALENDAR_RESOURCE_FEATURE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", - "event.provider": "admin", - "event.type": [ - "creation" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.event.type": "CALENDAR_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2207, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "DELETE_CALENDAR_RESOURCE_FEATURE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"DELETE_CALENDAR_RESOURCE_FEATURE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "deletion" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "CALENDAR_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2638, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "UPDATE_CALENDAR_RESOURCE_FEATURE", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"UPDATE_CALENDAR_RESOURCE_FEATURE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"FIELD_NAME\",\"value\":\"field\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"RESOURCE_IDENTIFIER\",\"value\":\"1234\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.field": "field", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.resource.id": "1234", - "gsuite.event.type": "CALENDAR_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 3069, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "RENAME_CALENDAR_RESOURCE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"RENAME_CALENDAR_RESOURCE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "CALENDAR_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 3619, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "UPDATE_CALENDAR_RESOURCE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"UPDATE_CALENDAR_RESOURCE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"FIELD_NAME\",\"value\":\"field\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"RESOURCE_IDENTIFIER\",\"value\":\"1234\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.field": "field", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.resource.id": "1234", - "gsuite.event.type": "CALENDAR_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 4077, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_CALENDAR_SETTING", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CHANGE_CALENDAR_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "CALENDAR_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 4619, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CANCEL_CALENDAR_EVENTS", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CANCEL_CALENDAR_EVENTS\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "CALENDAR_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 5208, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "RELEASE_CALENDAR_RESOURCES", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"RELEASE_CALENDAR_RESOURCES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "CALENDAR_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 5598, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log deleted file mode 100644 index b078b332402e..000000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log +++ /dev/null @@ -1,4 +0,0 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHAT_SETTINGS","name":"MEET_INTEROP_CREATE_GATEWAY","parameters":[{"name":"GATEWAY_NAME","value":"gateway"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHAT_SETTINGS","name":"MEET_INTEROP_DELETE_GATEWAY","parameters":[{"name":"GATEWAY_NAME","value":"gateway"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHAT_SETTINGS","name":"MEET_INTEROP_MODIFY_GATEWAY","parameters":[{"name":"GATEWAY_NAME","value":"gateway"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHAT_SETTINGS","name":"CHANGE_CHAT_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log-expected.json deleted file mode 100644 index 74ff813ecdda..000000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log-expected.json +++ /dev/null @@ -1,215 +0,0 @@ -[ - { - "event.action": "MEET_INTEROP_CREATE_GATEWAY", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHAT_SETTINGS\",\"name\":\"MEET_INTEROP_CREATE_GATEWAY\",\"parameters\":[{\"name\":\"GATEWAY_NAME\",\"value\":\"gateway\"}]}}", - "event.provider": "admin", - "event.type": [ - "creation" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.gateway.name": "gateway", - "gsuite.event.type": "CHAT_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 0, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "MEET_INTEROP_DELETE_GATEWAY", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHAT_SETTINGS\",\"name\":\"MEET_INTEROP_DELETE_GATEWAY\",\"parameters\":[{\"name\":\"GATEWAY_NAME\",\"value\":\"gateway\"}]}}", - "event.provider": "admin", - "event.type": [ - "deletion" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.gateway.name": "gateway", - "gsuite.event.type": "CHAT_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 384, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "MEET_INTEROP_MODIFY_GATEWAY", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHAT_SETTINGS\",\"name\":\"MEET_INTEROP_MODIFY_GATEWAY\",\"parameters\":[{\"name\":\"GATEWAY_NAME\",\"value\":\"gateway\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.gateway.name": "gateway", - "gsuite.event.type": "CHAT_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 768, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_CHAT_SETTING", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHAT_SETTINGS\",\"name\":\"CHANGE_CHAT_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "CHAT_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1152, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log deleted file mode 100644 index 9c3bd721f397..000000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log +++ /dev/null @@ -1,21 +0,0 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING","parameters":[{"name":"APP_ID","value":"2345"},{"name":"CHROME_OS_SESSION_TYPE","value":"type"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_DEVICE_STATE","parameters":[{"name":"DEVICE_NEW_STATE","value":"new"},{"name":"DEVICE_PREVIOUS_STATE","value":"prev"},{"name":"DEVICE_SERIAL_NUMBER","value":"1234"},{"name":"DEVICE_TYPE","value":"type"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_APPLICATION_SETTING","parameters":[{"name":"APP_ID","value":"2345"},{"name":"CHROME_OS_SESSION_TYPE","value":"type"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"SEND_CHROME_OS_DEVICE_COMMAND","parameters":[{"name":"DEVICE_SERIAL_NUMBER","value":"2345"},{"name":"NEW_VALUE","value":"new"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_DEVICE_ANNOTATION","parameters":[{"name":"DEVICE_SERIAL_NUMBER","value":"2345"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_DEVICE_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_DEVICE_STATE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"DEVICE_SERIAL_NUMBER","value":"1234"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"INSERT_CHROME_OS_PRINT_SERVER","parameters":[{"name":"PRINT_SERVER_NAME","value":"server"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"DELETE_CHROME_OS_PRINT_SERVER","parameters":[{"name":"PRINT_SERVER_NAME","value":"server"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"UPDATE_CHROME_OS_PRINT_SERVER","parameters":[{"name":"PRINT_SERVER_NAME","value":"server"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"INSERT_CHROME_OS_PRINTER","parameters":[{"name":"PRINTER_NAME","value":"printer"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"DELETE_CHROME_OS_PRINTER","parameters":[{"name":"PRINTER_NAME","value":"printer"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"UPDATE_CHROME_OS_PRINTER","parameters":[{"name":"PRINTER_NAME","value":"printer"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_USER_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"ISSUE_DEVICE_COMMAND","parameters":[{"name":"DEVICE_COMMAND_DETAILS","multiValue":["command","-a"]},{"name":"DEVICE_SERIAL_NUMBER","value":"1234"},{"name":"DEVICE_TYPE","value":"type"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"MOVE_DEVICE_TO_ORG_UNIT_DETAILED","parameters":[{"name":"DEVICE_NEW_ORG_UNIT","value":"new"},{"name":"DEVICE_PREVIOUS_ORG_UNIT","value":"prev"},{"name":"DEVICE_SERIAL_NUMBER","value":"1234"},{"name":"DEVICE_TYPE","value":"type"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"REMOVE_CHROME_OS_APPLICATION_SETTINGS","parameters":[{"name":"APP_ID","value":"1234"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"UPDATE_DEVICE","parameters":[{"name":"DEVICE_SERIAL_NUMBER","value":"1234"},{"name":"DEVICE_TYPE","value":"type"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CONTACTS_SETTINGS","name":"CHANGE_CONTACTS_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log-expected.json deleted file mode 100644 index ed4950f5b6c8..000000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log-expected.json +++ /dev/null @@ -1,1132 +0,0 @@ -[ - { - "event.action": "CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"2345\"},{\"name\":\"CHROME_OS_SESSION_TYPE\",\"value\":\"type\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.application.id": "2345", - "gsuite.admin.chrome_os.session_type": "type", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "CHROME_OS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 0, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_DEVICE_STATE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_DEVICE_STATE\",\"parameters\":[{\"name\":\"DEVICE_NEW_STATE\",\"value\":\"new\"},{\"name\":\"DEVICE_PREVIOUS_STATE\",\"value\":\"prev\"},{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.device.serial_number": "1234", - "gsuite.admin.device.type": "type", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "prev", - "gsuite.event.type": "CHROME_OS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 648, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_CHROME_OS_APPLICATION_SETTING", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"2345\"},{\"name\":\"CHROME_OS_SESSION_TYPE\",\"value\":\"type\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.application.id": "2345", - "gsuite.admin.chrome_os.session_type": "type", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "CHROME_OS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1162, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "SEND_CHROME_OS_DEVICE_COMMAND", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"SEND_CHROME_OS_DEVICE_COMMAND\",\"parameters\":[{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"2345\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.device.serial_number": "2345", - "gsuite.admin.new_value": "new", - "gsuite.event.type": "CHROME_OS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1802, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_CHROME_OS_DEVICE_ANNOTATION", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_DEVICE_ANNOTATION\",\"parameters\":[{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"2345\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.device.serial_number": "2345", - "gsuite.event.type": "CHROME_OS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2233, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_CHROME_OS_DEVICE_SETTING", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_DEVICE_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "CHROME_OS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2634, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_CHROME_OS_DEVICE_STATE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_DEVICE_STATE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.device.serial_number": "1234", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "CHROME_OS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 3136, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "CHROME_OS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 3641, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "INSERT_CHROME_OS_PRINT_SERVER", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"INSERT_CHROME_OS_PRINT_SERVER\",\"parameters\":[{\"name\":\"PRINT_SERVER_NAME\",\"value\":\"server\"}]}}", - "event.provider": "admin", - "event.type": [ - "creation" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.print_server.name": "server", - "gsuite.event.type": "CHROME_OS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 4151, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "DELETE_CHROME_OS_PRINT_SERVER", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"DELETE_CHROME_OS_PRINT_SERVER\",\"parameters\":[{\"name\":\"PRINT_SERVER_NAME\",\"value\":\"server\"}]}}", - "event.provider": "admin", - "event.type": [ - "deletion" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.print_server.name": "server", - "gsuite.event.type": "CHROME_OS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 4546, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "UPDATE_CHROME_OS_PRINT_SERVER", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"UPDATE_CHROME_OS_PRINT_SERVER\",\"parameters\":[{\"name\":\"PRINT_SERVER_NAME\",\"value\":\"server\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.print_server.name": "server", - "gsuite.event.type": "CHROME_OS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 4941, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "INSERT_CHROME_OS_PRINTER", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"INSERT_CHROME_OS_PRINTER\",\"parameters\":[{\"name\":\"PRINTER_NAME\",\"value\":\"printer\"}]}}", - "event.provider": "admin", - "event.type": [ - "creation" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.printer.name": "printer", - "gsuite.event.type": "CHROME_OS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 5406, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "DELETE_CHROME_OS_PRINTER", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"DELETE_CHROME_OS_PRINTER\",\"parameters\":[{\"name\":\"PRINTER_NAME\",\"value\":\"printer\"}]}}", - "event.provider": "admin", - "event.type": [ - "deletion" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.printer.name": "printer", - "gsuite.event.type": "CHROME_OS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 5792, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "UPDATE_CHROME_OS_PRINTER", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"UPDATE_CHROME_OS_PRINTER\",\"parameters\":[{\"name\":\"PRINTER_NAME\",\"value\":\"printer\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.printer.name": "printer", - "gsuite.event.type": "CHROME_OS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 6178, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_CHROME_OS_SETTING", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "CHROME_OS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 6634, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_CHROME_OS_USER_SETTING", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_USER_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "CHROME_OS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 7135, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "ISSUE_DEVICE_COMMAND", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"ISSUE_DEVICE_COMMAND\",\"parameters\":[{\"name\":\"DEVICE_COMMAND_DETAILS\",\"multiValue\":[\"command\",\"-a\"]},{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", - "event.provider": "admin", - "event.type": [ - "info" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.device.command_details": [ - "-a", - "command" - ], - "gsuite.admin.device.serial_number": "1234", - "gsuite.admin.device.type": "type", - "gsuite.event.type": "CHROME_OS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 7635, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "MOVE_DEVICE_TO_ORG_UNIT_DETAILED", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"MOVE_DEVICE_TO_ORG_UNIT_DETAILED\",\"parameters\":[{\"name\":\"DEVICE_NEW_ORG_UNIT\",\"value\":\"new\"},{\"name\":\"DEVICE_PREVIOUS_ORG_UNIT\",\"value\":\"prev\"},{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.device.serial_number": "1234", - "gsuite.admin.device.type": "type", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "prev", - "gsuite.event.type": "CHROME_OS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 8124, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "REMOVE_CHROME_OS_APPLICATION_SETTINGS", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"REMOVE_CHROME_OS_APPLICATION_SETTINGS\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"1234\"}]}}", - "event.provider": "admin", - "event.type": [ - "deletion" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.application.id": "1234", - "gsuite.event.type": "CHROME_OS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 8657, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "UPDATE_DEVICE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"UPDATE_DEVICE\",\"parameters\":[{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.device.serial_number": "1234", - "gsuite.admin.device.type": "type", - "gsuite.event.type": "CHROME_OS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 9047, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_CONTACTS_SETTING", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CONTACTS_SETTINGS\",\"name\":\"CHANGE_CONTACTS_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "CONTACTS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 9465, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log deleted file mode 100644 index 5aececc68aac..000000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log +++ /dev/null @@ -1 +0,0 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CONTACTS_SETTINGS","name":"CHANGE_CONTACTS_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log-expected.json deleted file mode 100644 index 00c54f3096f6..000000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log-expected.json +++ /dev/null @@ -1,58 +0,0 @@ -[ - { - "event.action": "CHANGE_CONTACTS_SETTING", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CONTACTS_SETTINGS\",\"name\":\"CHANGE_CONTACTS_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "CONTACTS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 0, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log deleted file mode 100644 index da76df3f7673..000000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log +++ /dev/null @@ -1,8 +0,0 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"ASSIGN_ROLE","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"CREATE_ROLE","parameters":[{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"DELETE_ROLE","parameters":[{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"ADD_PRIVILEGE","parameters":[{"name":"PRIVILEGE_NAME","value":"privilege"},{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"REMOVE_PRIVILEGE","parameters":[{"name":"PRIVILEGE_NAME","value":"privilege"},{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"RENAME_ROLE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"UPDATE_ROLE","parameters":[{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"UNASSIGN_ROLE","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"},{"name":"USER_EMAIL","value":"user@example.com"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log-expected.json deleted file mode 100644 index 01b558fdf49f..000000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log-expected.json +++ /dev/null @@ -1,430 +0,0 @@ -[ - { - "event.action": "ASSIGN_ROLE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"ASSIGN_ROLE\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 0, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "CREATE_ROLE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"CREATE_ROLE\",\"parameters\":[{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", - "event.provider": "admin", - "event.type": [ - "creation" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.role.id": "1234", - "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", - "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 483, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "DELETE_ROLE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"DELETE_ROLE\",\"parameters\":[{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", - "event.provider": "admin", - "event.type": [ - "deletion" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.role.id": "1234", - "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", - "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 912, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "ADD_PRIVILEGE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"ADD_PRIVILEGE\",\"parameters\":[{\"name\":\"PRIVILEGE_NAME\",\"value\":\"privilege\"},{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.privilege.name": "privilege", - "gsuite.admin.role.id": "1234", - "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", - "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1341, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "REMOVE_PRIVILEGE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"REMOVE_PRIVILEGE\",\"parameters\":[{\"name\":\"PRIVILEGE_NAME\",\"value\":\"privilege\"},{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.privilege.name": "privilege", - "gsuite.admin.role.id": "1234", - "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", - "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1818, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "RENAME_ROLE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"RENAME_ROLE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", - "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2298, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "UPDATE_ROLE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"UPDATE_ROLE\",\"parameters\":[{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.role.id": "1234", - "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", - "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2728, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "UNASSIGN_ROLE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"UNASSIGN_ROLE\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 3157, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log deleted file mode 100644 index c3166fb87d2b..000000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log +++ /dev/null @@ -1,3 +0,0 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOCS_SETTINGS","name":"TRANSFER_DOCUMENT_OWNERSHIP","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOCS_SETTINGS","name":"DRIVE_DATA_RESTORE","parameters":[{"name":"BEGIN_DATE_TIME","value":"2002-10-02T12:00:00Z"},{"name":"END_DATE_TIME","value":"2002-10-02T15:00:00Z"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOCS_SETTINGS","name":"CHANGE_DOCS_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log-expected.json deleted file mode 100644 index e22c5444b0f2..000000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log-expected.json +++ /dev/null @@ -1,176 +0,0 @@ -[ - { - "event.action": "TRANSFER_DOCUMENT_OWNERSHIP", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOCS_SETTINGS\",\"name\":\"TRANSFER_DOCUMENT_OWNERSHIP\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "DOCS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 0, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "DRIVE_DATA_RESTORE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.duration": 10800000000000, - "event.end": "2002-10-02T15:00:00.000Z", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOCS_SETTINGS\",\"name\":\"DRIVE_DATA_RESTORE\",\"parameters\":[{\"name\":\"BEGIN_DATE_TIME\",\"value\":\"2002-10-02T12:00:00Z\"},{\"name\":\"END_DATE_TIME\",\"value\":\"2002-10-02T15:00:00Z\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.start": "2002-10-02T12:00:00.000Z", - "event.type": [ - "info" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "DOCS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 471, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "CHANGE_DOCS_SETTING", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOCS_SETTINGS\",\"name\":\"CHANGE_DOCS_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "DOCS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 967, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log deleted file mode 100644 index b452d9e8d945..000000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log +++ /dev/null @@ -1,85 +0,0 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_ACCOUNT_AUTO_RENEWAL","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"NON_AUTO_RENEWAL"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ADD_APPLICATION","parameters":[{"name":"APP_ID","value":"id"},{"name":"APPLICATION_ENABLED","value":"app enabled"},{"name":"APPLICATION_NAME","value":"app name"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ADD_APPLICATION_TO_WHITELIST","parameters":[{"name":"APP_ID","value":"id"},{"name":"APPLICATION_NAME","value":"app name"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_ADVERTISEMENT_OPTION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CREATE_ALERT","parameters":[{"name":"ALERT_NAME","value":"alert name"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_ALERT_CRITERIA","parameters":[{"name":"ALERT_NAME","value":"alert name"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"DELETE_ALERT","parameters":[{"name":"ALERT_NAME","value":"alert name"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ALERT_RECEIVERS_CHANGED","parameters":[{"name":"ALERT_NAME","value":"alert name"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"RENAME_ALERT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ALERT_STATUS_CHANGED","parameters":[{"name":"ALERT_NAME","value":"alert name"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ADD_DOMAIN_ALIAS","parameters":[{"name":"DOMAIN_ALIAS","value":"alias"},{"name":"DOMAIN_NAME","value":"example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_DOMAIN_ALIAS","parameters":[{"name":"DOMAIN_ALIAS","value":"alias"},{"name":"DOMAIN_NAME","value":"example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"SKIP_DOMAIN_ALIAS_MX","parameters":[{"name":"DOMAIN_ALIAS","value":"alias"},{"name":"DOMAIN_NAME","value":"example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"VERIFY_DOMAIN_ALIAS_MX","parameters":[{"name":"DOMAIN_ALIAS","value":"alias"},{"name":"DOMAIN_NAME","value":"example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"VERIFY_DOMAIN_ALIAS","parameters":[{"name":"DOMAIN_ALIAS","value":"alias"},{"name":"DOMAIN_NAME","value":"example.com"},{"name":"DOMAIN_VERIFICATION_METHOD","value":"ANALYTICS"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_OAUTH_ACCESS_TO_ALL_APIS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_ALLOW_ADMIN_PASSWORD_RESET","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ENABLE_API_ACCESS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"},{"name":"OLD_VALUE","value":"true"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"AUTHORIZE_API_CLIENT_ACCESS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"API_CLIENT_NAME","value":"api client"},{"name":"API_SCOPES","multiValue":["a","b"]}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_API_CLIENT_ACCESS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"API_CLIENT_NAME","value":"api client"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHROME_LICENSES_REDEEMED","parameters":[{"name":"APP_LICENSES_ORDER_NUMBER","value":"abcd123"},{"name":"APPLICATION_NAME","value":"app name"},{"name":"CHROME_NUM_LICENSES_PURCHASED","intValue":1}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_AUTO_ADD_NEW_SERVICE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_PRIMARY_DOMAIN","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_WHITELIST_SETTING","parameters":[{"name":"SETTING_NAME","value":"setting"},{"name":"NEW_VALUE","value":"false"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"COMMUNICATION_PREFERENCES_SETTING_CHANGE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SETTING_NAME","value":"setting"},{"name":"NEW_VALUE","value":"false"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_CONFLICT_ACCOUNT_ACTION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ENABLE_FEEDBACK_SOLICITATION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_CONTACT_SHARING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CREATE_PLAY_FOR_WORK_TOKEN","parameters":[{"name":"PLAY_FOR_WORK_TOKEN_ID","value":"token"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_USE_CUSTOM_LOGO","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_CUSTOM_LOGO","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DATA_LOCALIZATION_FOR_RUSSIA","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DATA_LOCALIZATION_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DATA_PROTECTION_OFFICER_CONTACT_INFO","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"INFO_TYPE","value":"ADDRESS"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"DELETE_PLAY_FOR_WORK_TOKEN","parameters":[{"name":"PLAY_FOR_WORK_TOKEN_ID","value":"token"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"VIEW_DNS_LOGIN_DETAILS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DOMAIN_DEFAULT_LOCALE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DOMAIN_DEFAULT_TIMEZONE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DOMAIN_NAME","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_ENABLE_PRE_RELEASE_FEATURES","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DOMAIN_SUPPORT_MESSAGE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ADD_TRUSTED_DOMAINS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_TRUSTED_DOMAINS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_EDU_TYPE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_ENABLE_OAUTH_CONSUMER_KEY","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_SSO_ENABLED","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_SSL","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_EU_REPRESENTATIVE_CONTACT_INFO","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"INFO_TYPE","value":"ADDRESS"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"GENERATE_TRANSFER_TOKEN"}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_LOGIN_BACKGROUND_COLOR","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_LOGIN_BORDER_COLOR","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_LOGIN_ACTIVITY_TRACE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"PLAY_FOR_WORK_ENROLL","parameters":[{"name":"PLAY_FOR_WORK_MDM_VENDOR_NAME","value":"vendor"},{"name":"PLAY_FOR_WORK_TOKEN_ID","value":"token"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"PLAY_FOR_WORK_UNENROLL","parameters":[{"name":"PLAY_FOR_WORK_MDM_VENDOR_NAME","value":"vendor"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"MX_RECORD_VERIFICATION_CLAIM","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_NEW_APP_FEATURES","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_USE_NEXT_GEN_CONTROL_PANEL","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"UPLOAD_OAUTH_CERTIFICATE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REGENERATE_OAUTH_CONSUMER_SECRET","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_OPEN_ID_ENABLED","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_ORGANIZATION_NAME","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_OUTBOUND_RELAY","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_PASSWORD_MAX_LENGTH","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_PASSWORD_MIN_LENGTH","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"UPDATE_DOMAIN_PRIMARY_ADMIN_EMAIL","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_APPLICATION","parameters":[{"name":"APP_ID","value":"appid"},{"name":"APPLICATION_NAME","value":"app name"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_APPLICATION_FROM_WHITELIST","parameters":[{"name":"APP_ID","value":"appid"},{"name":"APPLICATION_NAME","value":"app name"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_RENEW_DOMAIN_REGISTRATION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_RESELLER_ACCESS","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"RULE_ACTIONS_CHANGED","parameters":[{"name":"RULE_NAME","value":"rule"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CREATE_RULE","parameters":[{"name":"RULE_NAME","value":"rule"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_RULE_CRITERIA","parameters":[{"name":"RULE_NAME","value":"rule"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"DELETE_RULE","parameters":[{"name":"RULE_NAME","value":"rule"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"RENAME_RULE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"RULE_STATUS_CHANGED","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"RULE_NAME","value":"rule"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ADD_SECONDARY_DOMAIN","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SECONDARY_DOMAIN_NAME","value":"example2.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_SECONDARY_DOMAIN","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SECONDARY_DOMAIN_NAME","value":"example2.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"SKIP_SECONDARY_DOMAIN_MX","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SECONDARY_DOMAIN_NAME","value":"example2.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"VERIFY_SECONDARY_DOMAIN_MX","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SECONDARY_DOMAIN_NAME","value":"example2.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"VERIFY_SECONDARY_DOMAIN","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SECONDARY_DOMAIN_NAME","value":"example2.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"UPDATE_DOMAIN_SECONDARY_EMAIL","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_SSO_SETTINGS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"GENERATE_PIN"}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"UPDATE_RULE","parameters":[{"name":"RULE_NAME","value":"rule"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log-expected.json deleted file mode 100644 index 404587a66474..000000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log-expected.json +++ /dev/null @@ -1,4459 +0,0 @@ -[ - { - "event.action": "CHANGE_ACCOUNT_AUTO_RENEWAL", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_ACCOUNT_AUTO_RENEWAL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"NON_AUTO_RENEWAL\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "NON_AUTO_RENEWAL", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 0, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "ADD_APPLICATION", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_APPLICATION\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"id\"},{\"name\":\"APPLICATION_ENABLED\",\"value\":\"app enabled\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.application.enabled": "app enabled", - "gsuite.admin.application.id": "id", - "gsuite.admin.application.name": "app name", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 437, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "ADD_APPLICATION_TO_WHITELIST", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_APPLICATION_TO_WHITELIST\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"id\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.application.id": "id", - "gsuite.admin.application.name": "app name", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 900, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_ADVERTISEMENT_OPTION", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_ADVERTISEMENT_OPTION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1323, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CREATE_ALERT", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CREATE_ALERT\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"}]}}", - "event.provider": "admin", - "event.type": [ - "creation" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.alert.name": "alert name", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1782, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_ALERT_CRITERIA", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_ALERT_CRITERIA\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.alert.name": "alert name", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2154, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "DELETE_ALERT", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"DELETE_ALERT\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"}]}}", - "event.provider": "admin", - "event.type": [ - "deletion" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.alert.name": "alert name", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2535, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "ALERT_RECEIVERS_CHANGED", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ALERT_RECEIVERS_CHANGED\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.alert.name": "alert name", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2907, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "RENAME_ALERT", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"RENAME_ALERT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 3360, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "ALERT_STATUS_CHANGED", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ALERT_STATUS_CHANGED\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.alert.name": "alert name", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 3759, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "ADD_DOMAIN_ALIAS", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_DOMAIN_ALIAS\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.alias": "alias", - "gsuite.admin.domain.name": "example.com", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 4209, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "REMOVE_DOMAIN_ALIAS", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_DOMAIN_ALIAS\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.alias": "alias", - "gsuite.admin.domain.name": "example.com", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 4627, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "SKIP_DOMAIN_ALIAS_MX", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"SKIP_DOMAIN_ALIAS_MX\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "info" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.alias": "alias", - "gsuite.admin.domain.name": "example.com", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 5048, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "VERIFY_DOMAIN_ALIAS_MX", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VERIFY_DOMAIN_ALIAS_MX\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "info" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.alias": "alias", - "gsuite.admin.domain.name": "example.com", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 5470, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "VERIFY_DOMAIN_ALIAS", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VERIFY_DOMAIN_ALIAS\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"DOMAIN_VERIFICATION_METHOD\",\"value\":\"ANALYTICS\"}]}}", - "event.provider": "admin", - "event.type": [ - "info" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.alias": "alias", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.verification_method": "ANALYTICS", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 5894, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "TOGGLE_OAUTH_ACCESS_TO_ALL_APIS", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_OAUTH_ACCESS_TO_ALL_APIS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "false", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 6373, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "TOGGLE_ALLOW_ADMIN_PASSWORD_RESET", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_ALLOW_ADMIN_PASSWORD_RESET\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "false", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 6803, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "ENABLE_API_ACCESS", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ENABLE_API_ACCESS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"true\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "false", - "gsuite.admin.old_value": "true", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 7235, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "AUTHORIZE_API_CLIENT_ACCESS", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"AUTHORIZE_API_CLIENT_ACCESS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"API_CLIENT_NAME\",\"value\":\"api client\"},{\"name\":\"API_SCOPES\",\"multiValue\":[\"a\",\"b\"]}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.api.client.name": "api client", - "gsuite.admin.api.scopes": [ - "a", - "b" - ], - "gsuite.admin.domain.name": "example.com", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 7687, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "REMOVE_API_CLIENT_ACCESS", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_API_CLIENT_ACCESS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"API_CLIENT_NAME\",\"value\":\"api client\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.api.client.name": "api client", - "gsuite.admin.domain.name": "example.com", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 8169, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHROME_LICENSES_REDEEMED", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHROME_LICENSES_REDEEMED\",\"parameters\":[{\"name\":\"APP_LICENSES_ORDER_NUMBER\",\"value\":\"abcd123\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"},{\"name\":\"CHROME_NUM_LICENSES_PURCHASED\",\"intValue\":1}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.application.licences_order_number": "abcd123", - "gsuite.admin.application.licences_purchased": 1, - "gsuite.admin.application.name": "app name", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 8603, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "TOGGLE_AUTO_ADD_NEW_SERVICE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_AUTO_ADD_NEW_SERVICE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "false", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 9100, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_PRIMARY_DOMAIN", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_PRIMARY_DOMAIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "false", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 9526, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_WHITELIST_SETTING", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_WHITELIST_SETTING\",\"parameters\":[{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "false", - "gsuite.admin.old_value": "old", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 9946, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "COMMUNICATION_PREFERENCES_SETTING_CHANGE", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"COMMUNICATION_PREFERENCES_SETTING_CHANGE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "false", - "gsuite.admin.old_value": "old", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 10401, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_CONFLICT_ACCOUNT_ACTION", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_CONFLICT_ACCOUNT_ACTION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "false", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 10917, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "ENABLE_FEEDBACK_SOLICITATION", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ENABLE_FEEDBACK_SOLICITATION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "false", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 11381, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "TOGGLE_CONTACT_SHARING", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_CONTACT_SHARING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "false", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 11843, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CREATE_PLAY_FOR_WORK_TOKEN", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CREATE_PLAY_FOR_WORK_TOKEN\",\"parameters\":[{\"name\":\"PLAY_FOR_WORK_TOKEN_ID\",\"value\":\"token\"}]}}", - "event.provider": "admin", - "event.type": [ - "creation" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.mdm.token": "token", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 12264, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "TOGGLE_USE_CUSTOM_LOGO", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_USE_CUSTOM_LOGO\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "false", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 12657, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_CUSTOM_LOGO", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_CUSTOM_LOGO\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 13078, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_DATA_LOCALIZATION_FOR_RUSSIA", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DATA_LOCALIZATION_FOR_RUSSIA\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 13458, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_DATA_LOCALIZATION_SETTING", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DATA_LOCALIZATION_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 13919, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_DATA_PROTECTION_OFFICER_CONTACT_INFO", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DATA_PROTECTION_OFFICER_CONTACT_INFO\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"INFO_TYPE\",\"value\":\"ADDRESS\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.info_type": "ADDRESS", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 14377, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "DELETE_PLAY_FOR_WORK_TOKEN", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"DELETE_PLAY_FOR_WORK_TOKEN\",\"parameters\":[{\"name\":\"PLAY_FOR_WORK_TOKEN_ID\",\"value\":\"token\"}]}}", - "event.provider": "admin", - "event.type": [ - "deletion" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.mdm.token": "token", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 14846, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "VIEW_DNS_LOGIN_DETAILS", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VIEW_DNS_LOGIN_DETAILS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "info" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 15239, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_DOMAIN_DEFAULT_LOCALE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DOMAIN_DEFAULT_LOCALE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 15623, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_DOMAIN_DEFAULT_TIMEZONE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DOMAIN_DEFAULT_TIMEZONE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 16083, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_DOMAIN_NAME", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DOMAIN_NAME\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 16545, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "TOGGLE_ENABLE_PRE_RELEASE_FEATURES", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_ENABLE_PRE_RELEASE_FEATURES\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 16960, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_DOMAIN_SUPPORT_MESSAGE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DOMAIN_SUPPORT_MESSAGE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 17391, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "ADD_TRUSTED_DOMAINS", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_TRUSTED_DOMAINS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 17852, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "REMOVE_TRUSTED_DOMAINS", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_TRUSTED_DOMAINS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 18233, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_EDU_TYPE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_EDU_TYPE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 18617, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "TOGGLE_ENABLE_OAUTH_CONSUMER_KEY", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_ENABLE_OAUTH_CONSUMER_KEY\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 19064, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "TOGGLE_SSO_ENABLED", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_SSO_ENABLED\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 19493, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "TOGGLE_SSL", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_SSL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 19908, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_EU_REPRESENTATIVE_CONTACT_INFO", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_EU_REPRESENTATIVE_CONTACT_INFO\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"INFO_TYPE\",\"value\":\"ADDRESS\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.info_type": "ADDRESS", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 20315, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "GENERATE_TRANSFER_TOKEN", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"GENERATE_TRANSFER_TOKEN\"}}", - "event.provider": "admin", - "event.type": [ - "creation" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 20778, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_LOGIN_BACKGROUND_COLOR", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_LOGIN_BACKGROUND_COLOR\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 21103, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_LOGIN_BORDER_COLOR", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_LOGIN_BORDER_COLOR\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 21564, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_LOGIN_ACTIVITY_TRACE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_LOGIN_ACTIVITY_TRACE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 22021, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "PLAY_FOR_WORK_ENROLL", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"PLAY_FOR_WORK_ENROLL\",\"parameters\":[{\"name\":\"PLAY_FOR_WORK_MDM_VENDOR_NAME\",\"value\":\"vendor\"},{\"name\":\"PLAY_FOR_WORK_TOKEN_ID\",\"value\":\"token\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.mdm.token": "token", - "gsuite.admin.mdm.vendor": "vendor", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 22480, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "PLAY_FOR_WORK_UNENROLL", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"PLAY_FOR_WORK_UNENROLL\",\"parameters\":[{\"name\":\"PLAY_FOR_WORK_MDM_VENDOR_NAME\",\"value\":\"vendor\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.mdm.vendor": "vendor", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 22925, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "MX_RECORD_VERIFICATION_CLAIM", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"MX_RECORD_VERIFICATION_CLAIM\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "info" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 23322, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "TOGGLE_NEW_APP_FEATURES", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_NEW_APP_FEATURES\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 23761, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "TOGGLE_USE_NEXT_GEN_CONTROL_PANEL", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_USE_NEXT_GEN_CONTROL_PANEL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 24181, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "UPLOAD_OAUTH_CERTIFICATE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"UPLOAD_OAUTH_CERTIFICATE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "info" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 24611, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "REGENERATE_OAUTH_CONSUMER_SECRET", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REGENERATE_OAUTH_CONSUMER_SECRET\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "creation" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 24997, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "TOGGLE_OPEN_ID_ENABLED", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_OPEN_ID_ENABLED\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 25391, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_ORGANIZATION_NAME", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_ORGANIZATION_NAME\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 25810, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "TOGGLE_OUTBOUND_RELAY", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_OUTBOUND_RELAY\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 26266, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_PASSWORD_MAX_LENGTH", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_PASSWORD_MAX_LENGTH\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 26758, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_PASSWORD_MIN_LENGTH", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_PASSWORD_MIN_LENGTH\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 27216, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "UPDATE_DOMAIN_PRIMARY_ADMIN_EMAIL", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"UPDATE_DOMAIN_PRIMARY_ADMIN_EMAIL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 27674, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 28139, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "REMOVE_APPLICATION", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_APPLICATION\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"appid\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.application.id": "appid", - "gsuite.admin.application.name": "app name", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 28610, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "REMOVE_APPLICATION_FROM_WHITELIST", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_APPLICATION_FROM_WHITELIST\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"appid\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.application.id": "appid", - "gsuite.admin.application.name": "app name", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 29026, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_RENEW_DOMAIN_REGISTRATION", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_RENEW_DOMAIN_REGISTRATION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 29457, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_RESELLER_ACCESS", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_RESELLER_ACCESS\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 29921, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "RULE_ACTIONS_CHANGED", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"RULE_ACTIONS_CHANGED\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.rule.name": "rule", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 30330, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CREATE_RULE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CREATE_RULE\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", - "event.provider": "admin", - "event.type": [ - "creation" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.rule.name": "rule", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 30703, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_RULE_CRITERIA", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_RULE_CRITERIA\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.rule.name": "rule", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 31067, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "DELETE_RULE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"DELETE_RULE\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", - "event.provider": "admin", - "event.type": [ - "deletion" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.rule.name": "rule", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 31440, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "RENAME_RULE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"RENAME_RULE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 31804, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "RULE_STATUS_CHANGED", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"RULE_STATUS_CHANGED\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.rule.name": "rule", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 32202, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "ADD_SECONDARY_DOMAIN", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_SECONDARY_DOMAIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.domain.secondary_name": "example2.com", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 32644, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "REMOVE_SECONDARY_DOMAIN", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_SECONDARY_DOMAIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.domain.secondary_name": "example2.com", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 33082, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "SKIP_SECONDARY_DOMAIN_MX", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"SKIP_SECONDARY_DOMAIN_MX\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "info" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.domain.secondary_name": "example2.com", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 33523, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "VERIFY_SECONDARY_DOMAIN_MX", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VERIFY_SECONDARY_DOMAIN_MX\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "info" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.domain.secondary_name": "example2.com", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 33965, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "VERIFY_SECONDARY_DOMAIN", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VERIFY_SECONDARY_DOMAIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "info" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.domain.secondary_name": "example2.com", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 34409, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "UPDATE_DOMAIN_SECONDARY_EMAIL", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"UPDATE_DOMAIN_SECONDARY_EMAIL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 34850, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_SSO_SETTINGS", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_SSO_SETTINGS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 35311, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "GENERATE_PIN", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"GENERATE_PIN\"}}", - "event.provider": "admin", - "event.type": [ - "creation" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 35692, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "UPDATE_RULE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"UPDATE_RULE\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.rule.name": "rule", - "gsuite.event.type": "DOMAIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 36006, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log deleted file mode 100644 index dc0842dc0d4e..000000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log +++ /dev/null @@ -1,9 +0,0 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"DROP_FROM_QUARANTINE","parameters":[{"name":"EMAIL_LOG_SEARCH_MSG_ID","value":"id"},{"name":"QUARANTINE_NAME","value":"quarantine"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"EMAIL_LOG_SEARCH","parameters":[{"name":"EMAIL_LOG_SEARCH_END_DATE","value":"2020/07/28 04:59:59 UTC"},{"name":"EMAIL_LOG_SEARCH_MSG_ID","value":"id"},{"name":"EMAIL_LOG_SEARCH_RECIPIENT","value":"recipient"},{"name":"EMAIL_LOG_SEARCH_SENDER","value":"sender"},{"name":"EMAIL_LOG_SEARCH_SMTP_RECIPIENT_IP","value":"1.1.1.1"},{"name":"EMAIL_LOG_SEARCH_SMTP_SENDER_IP","value":"1.1.1.1"},{"name":"EMAIL_LOG_SEARCH_START_DATE","value":"2002-10-02T10:00:00Z"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"EMAIL_UNDELETE","parameters":[{"name":"END_DATE","value":"2002-10-02T12:00:00Z"},{"name":"USER_EMAIL","value":"user@example.com"},{"name":"START_DATE","value":"2002-10-02T10:00:00Z"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"CHANGE_EMAIL_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"CHANGE_GMAIL_SETTING","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_DESCRIPTION","value":"setting description"},{"name":"SETTING_NAME","value":"setting"},{"name":"USER_DEFINED_SETTING_NAME","value":"setting name"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"CREATE_GMAIL_SETTING","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_DESCRIPTION","value":"setting description"},{"name":"SETTING_NAME","value":"setting"},{"name":"USER_DEFINED_SETTING_NAME","value":"setting name"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"DELETE_GMAIL_SETTING","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_DESCRIPTION","value":"setting description"},{"name":"SETTING_NAME","value":"setting"},{"name":"USER_DEFINED_SETTING_NAME","value":"setting name"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"REJECT_FROM_QUARANTINE","parameters":[{"name":"EMAIL_LOG_SEARCH_MSG_ID","value":"id"},{"name":"QUARANTINE_NAME","value":"quarantine"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"RELEASE_FROM_QUARANTINE","parameters":[{"name":"EMAIL_LOG_SEARCH_MSG_ID","value":"id"},{"name":"QUARANTINE_NAME","value":"quarantine"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log-expected.json deleted file mode 100644 index 69ddb7692a27..000000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log-expected.json +++ /dev/null @@ -1,497 +0,0 @@ -[ - { - "event.action": "DROP_FROM_QUARANTINE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"DROP_FROM_QUARANTINE\",\"parameters\":[{\"name\":\"EMAIL_LOG_SEARCH_MSG_ID\",\"value\":\"id\"},{\"name\":\"QUARANTINE_NAME\",\"value\":\"quarantine\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.email.log_search_filter.message_id": "id", - "gsuite.admin.email.quarantine_name": "quarantine", - "gsuite.event.type": "EMAIL_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 0, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "EMAIL_LOG_SEARCH", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"EMAIL_LOG_SEARCH\",\"parameters\":[{\"name\":\"EMAIL_LOG_SEARCH_END_DATE\",\"value\":\"2020/07/28 04:59:59 UTC\"},{\"name\":\"EMAIL_LOG_SEARCH_MSG_ID\",\"value\":\"id\"},{\"name\":\"EMAIL_LOG_SEARCH_RECIPIENT\",\"value\":\"recipient\"},{\"name\":\"EMAIL_LOG_SEARCH_SENDER\",\"value\":\"sender\"},{\"name\":\"EMAIL_LOG_SEARCH_SMTP_RECIPIENT_IP\",\"value\":\"1.1.1.1\"},{\"name\":\"EMAIL_LOG_SEARCH_SMTP_SENDER_IP\",\"value\":\"1.1.1.1\"},{\"name\":\"EMAIL_LOG_SEARCH_START_DATE\",\"value\":\"2002-10-02T10:00:00Z\"}]}}", - "event.provider": "admin", - "event.type": [ - "info" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.email.log_search_filter.end_date": "2020-07-28T04:59:59.000Z", - "gsuite.admin.email.log_search_filter.message_id": "id", - "gsuite.admin.email.log_search_filter.recipient.ip": "1.1.1.1", - "gsuite.admin.email.log_search_filter.recipient.value": "recipient", - "gsuite.admin.email.log_search_filter.sender.ip": "1.1.1.1", - "gsuite.admin.email.log_search_filter.sender.value": "sender", - "gsuite.admin.email.log_search_filter.start_date": "2002-10-02T10:00:00.000Z", - "gsuite.event.type": "EMAIL_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 432, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "EMAIL_UNDELETE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.duration": 7200000000000, - "event.end": "2002-10-02T12:00:00.000Z", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"EMAIL_UNDELETE\",\"parameters\":[{\"name\":\"END_DATE\",\"value\":\"2002-10-02T12:00:00Z\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"START_DATE\",\"value\":\"2002-10-02T10:00:00Z\"}]}}", - "event.provider": "admin", - "event.start": "2002-10-02T10:00:00.000Z", - "event.type": [ - "creation" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "EMAIL_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1188, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "CHANGE_EMAIL_SETTING", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"CHANGE_EMAIL_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "EMAIL_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1671, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_GMAIL_SETTING", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"CHANGE_GMAIL_SETTING\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_DESCRIPTION\",\"value\":\"setting description\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"USER_DEFINED_SETTING_NAME\",\"value\":\"setting name\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.description": "setting description", - "gsuite.admin.setting.name": "setting", - "gsuite.admin.user_defined_setting.name": "setting name", - "gsuite.event.type": "EMAIL_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2254, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CREATE_GMAIL_SETTING", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"CREATE_GMAIL_SETTING\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_DESCRIPTION\",\"value\":\"setting description\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"USER_DEFINED_SETTING_NAME\",\"value\":\"setting name\"}]}}", - "event.provider": "admin", - "event.type": [ - "creation" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.description": "setting description", - "gsuite.admin.setting.name": "setting", - "gsuite.admin.user_defined_setting.name": "setting name", - "gsuite.event.type": "EMAIL_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2792, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "DELETE_GMAIL_SETTING", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"DELETE_GMAIL_SETTING\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_DESCRIPTION\",\"value\":\"setting description\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"USER_DEFINED_SETTING_NAME\",\"value\":\"setting name\"}]}}", - "event.provider": "admin", - "event.type": [ - "deletion" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.description": "setting description", - "gsuite.admin.setting.name": "setting", - "gsuite.admin.user_defined_setting.name": "setting name", - "gsuite.event.type": "EMAIL_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 3330, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "REJECT_FROM_QUARANTINE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"REJECT_FROM_QUARANTINE\",\"parameters\":[{\"name\":\"EMAIL_LOG_SEARCH_MSG_ID\",\"value\":\"id\"},{\"name\":\"QUARANTINE_NAME\",\"value\":\"quarantine\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.email.log_search_filter.message_id": "id", - "gsuite.admin.email.quarantine_name": "quarantine", - "gsuite.event.type": "EMAIL_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 3868, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "RELEASE_FROM_QUARANTINE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"RELEASE_FROM_QUARANTINE\",\"parameters\":[{\"name\":\"EMAIL_LOG_SEARCH_MSG_ID\",\"value\":\"id\"},{\"name\":\"QUARANTINE_NAME\",\"value\":\"quarantine\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.email.log_search_filter.message_id": "id", - "gsuite.admin.email.quarantine_name": "quarantine", - "gsuite.event.type": "EMAIL_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 4302, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log deleted file mode 100644 index 2c60ded89cc1..000000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log +++ /dev/null @@ -1,14 +0,0 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"CREATE_GROUP","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"DELETE_GROUP","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"CHANGE_GROUP_DESCRIPTION","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"GROUP_LIST_DOWNLOAD"}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"ADD_GROUP_MEMBER","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"REMOVE_GROUP_MEMBER","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"UPDATE_GROUP_MEMBER","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"GROUP_MEMBER_BULK_UPLOAD","parameters":[{"name":"GROUP_MEMBER_BULK_UPLOAD_FAILED_NUMBER","value":"0"},{"name":"GROUP_MEMBER_BULK_UPLOAD_TOTAL_NUMBER","value":"10"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"GROUP_MEMBERS_DOWNLOAD"}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"CHANGE_GROUP_NAME","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"CHANGE_GROUP_SETTING","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"WHITELISTED_GROUPS_UPDATED","parameters":[{"name":"WHITELISTED_GROUPS","value":"a,b,c"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log-expected.json deleted file mode 100644 index 7cc876ea7882..000000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log-expected.json +++ /dev/null @@ -1,798 +0,0 @@ -[ - { - "event.action": "CREATE_GROUP", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CREATE_GROUP\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "creation", - "group" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.group.email": "group@example.com", - "gsuite.event.type": "GROUP_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 0, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "DELETE_GROUP", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"DELETE_GROUP\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "creation", - "group" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.group.email": "group@example.com", - "gsuite.event.type": "GROUP_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 379, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_GROUP_DESCRIPTION", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CHANGE_GROUP_DESCRIPTION\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "group" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.group.email": "group@example.com", - "gsuite.event.type": "GROUP_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 758, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "GROUP_LIST_DOWNLOAD", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"GROUP_LIST_DOWNLOAD\"}}", - "event.provider": "admin", - "event.type": [ - "group", - "info" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.event.type": "GROUP_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1149, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "ADD_GROUP_MEMBER", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"ADD_GROUP_MEMBER\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "group" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "GROUP_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1469, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.group.domain": "example.com", - "user.target.group.name": "group", - "user.target.name": "user" - }, - { - "event.action": "REMOVE_GROUP_MEMBER", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"REMOVE_GROUP_MEMBER\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "group" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "GROUP_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1901, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.group.domain": "example.com", - "user.target.group.name": "group", - "user.target.name": "user" - }, - { - "event.action": "UPDATE_GROUP_MEMBER", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"UPDATE_GROUP_MEMBER\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "group" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "GROUP_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2336, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.group.domain": "example.com", - "user.target.group.name": "group", - "user.target.name": "user" - }, - { - "event.action": "UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "group" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "GROUP_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2841, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.group.domain": "example.com", - "user.target.group.name": "group", - "user.target.name": "user" - }, - { - "event.action": "UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "group" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "GROUP_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 3364, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.group.domain": "example.com", - "user.target.group.name": "group", - "user.target.name": "user" - }, - { - "event.action": "GROUP_MEMBER_BULK_UPLOAD", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"GROUP_MEMBER_BULK_UPLOAD\",\"parameters\":[{\"name\":\"GROUP_MEMBER_BULK_UPLOAD_FAILED_NUMBER\",\"value\":\"0\"},{\"name\":\"GROUP_MEMBER_BULK_UPLOAD_TOTAL_NUMBER\",\"value\":\"10\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "group" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.bulk_upload.failed": 0, - "gsuite.admin.bulk_upload.total": 10, - "gsuite.event.type": "GROUP_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 3906, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "GROUP_MEMBERS_DOWNLOAD", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"GROUP_MEMBERS_DOWNLOAD\"}}", - "event.provider": "admin", - "event.type": [ - "group", - "info" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.event.type": "GROUP_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 4370, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_GROUP_NAME", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CHANGE_GROUP_NAME\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "group" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.new_value": "new", - "gsuite.event.type": "GROUP_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 4693, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_GROUP_SETTING", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CHANGE_GROUP_SETTING\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "group" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "GROUP_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 5112, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "WHITELISTED_GROUPS_UPDATED", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"WHITELISTED_GROUPS_UPDATED\",\"parameters\":[{\"name\":\"WHITELISTED_GROUPS\",\"value\":\"a,b,c\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "group" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.group.allowed_list": [ - "a", - "b", - "c" - ], - "gsuite.event.type": "GROUP_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 5611, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log deleted file mode 100644 index c028ff6ba1cb..000000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log +++ /dev/null @@ -1,8 +0,0 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"ORG_USERS_LICENSE_ASSIGNMENT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"PRODUCT_NAME","value":"product"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"ORG_ALL_USERS_LICENSE_ASSIGNMENT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"PRODUCT_NAME","value":"product"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"USER_LICENSE_ASSIGNMENT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"},{"name":"PRODUCT_NAME","value":"product"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"CHANGE_LICENSE_AUTO_ASSIGN","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"SKU_NAME","value":"sku"},{"name":"PRODUCT_NAME","value":"product"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"USER_LICENSE_REASSIGNMENT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"},{"name":"PRODUCT_NAME","value":"product"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"ORG_LICENSE_REVOKE","parameters":[{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"PRODUCT_NAME","value":"product"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"USER_LICENSE_REVOKE","parameters":[{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"},{"name":"PRODUCT_NAME","value":"product"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"UPDATE_DYNAMIC_LICENSE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"PRODUCT_NAME","value":"product"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log-expected.json deleted file mode 100644 index 2f36dd24262d..000000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log-expected.json +++ /dev/null @@ -1,440 +0,0 @@ -[ - { - "event.action": "ORG_USERS_LICENSE_ASSIGNMENT", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"ORG_USERS_LICENSE_ASSIGNMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.product.name": "product", - "gsuite.event.type": "LICENSES_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 0, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "ORG_ALL_USERS_LICENSE_ASSIGNMENT", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"ORG_ALL_USERS_LICENSE_ASSIGNMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.product.name": "product", - "gsuite.event.type": "LICENSES_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 463, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "USER_LICENSE_ASSIGNMENT", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"USER_LICENSE_ASSIGNMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.product.name": "product", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "LICENSES_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 930, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "CHANGE_LICENSE_AUTO_ASSIGN", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"CHANGE_LICENSE_AUTO_ASSIGN\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"SKU_NAME\",\"value\":\"sku\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.product.name": "product", - "gsuite.admin.product.sku": "sku", - "gsuite.event.type": "LICENSES_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1398, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "USER_LICENSE_REASSIGNMENT", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"USER_LICENSE_REASSIGNMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.product.name": "product", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "LICENSES_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1854, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "ORG_LICENSE_REVOKE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"ORG_LICENSE_REVOKE\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.product.name": "product", - "gsuite.event.type": "LICENSES_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2359, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "USER_LICENSE_REVOKE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"USER_LICENSE_REVOKE\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.old_value": "old", - "gsuite.admin.product.name": "product", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "LICENSES_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2812, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "UPDATE_DYNAMIC_LICENSE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"UPDATE_DYNAMIC_LICENSE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.product.name": "product", - "gsuite.event.type": "LICENSES_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 3276, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log deleted file mode 100644 index 69c376c4453a..000000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log +++ /dev/null @@ -1,31 +0,0 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"ACTION_CANCELLED","parameters":[{"name":"ACTION_ID","value":"id"},{"name":"ACTION_TYPE","value":"ACCOUNT_WIPE"},{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"ACTION_REQUESTED","parameters":[{"name":"ACTION_ID","value":"id"},{"name":"ACTION_TYPE","value":"ACCOUNT_WIPE"},{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"ADD_MOBILE_CERTIFICATE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_CERTIFICATE_COMMON_NAME","value":"name"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"COMPANY_DEVICES_BULK_CREATION","parameters":[{"name":"NUMBER_OF_COMPANY_OWNED_DEVICES","intValue":10}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"COMPANY_OWNED_DEVICE_BLOCKED","parameters":[{"name":"COMPANY_DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"COMPANY_DEVICE_DELETION","parameters":[{"name":"COMPANY_DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"COMPANY_OWNED_DEVICE_UNBLOCKED","parameters":[{"name":"COMPANY_DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"COMPANY_OWNED_DEVICE_WIPED","parameters":[{"name":"COMPANY_DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_APPLICATION_PERMISSION_GRANT","parameters":[{"name":"DEVICE_TYPE","value":"type"},{"name":"DISTRIBUTION_ENTITY_NAME","value":"ANY"},{"name":"DISTRIBUTION_ENTITY_TYPE","value":"GROUP"},{"name":"MOBILE_APP_PACKAGE_ID","value":"id"},{"name":"NEW_PERMISSION_GRANT_STATE","value":"GRANTED"},{"name":"OLD_PERMISSION_GRANT_STATE","value":"DENIED"},{"name":"PERMISSION_GROUP_NAME","value":"LOCATION"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_APPLICATION_PRIORITY_ORDER","parameters":[{"name":"MOBILE_APP_PACKAGE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"REMOVE_MOBILE_APPLICATION_FROM_WHITELIST","parameters":[{"name":"MOBILE_APP_PACKAGE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"DISTRIBUTION_ENTITY_NAME","value":"ANY"},{"name":"DISTRIBUTION_ENTITY_TYPE","value":"ORG_UNIT"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_APPLICATION_SETTINGS","parameters":[{"name":"MOBILE_APP_PACKAGE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"DISTRIBUTION_ENTITY_NAME","value":"ANY"},{"name":"DISTRIBUTION_ENTITY_TYPE","value":"ORG_UNIT"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"ADD_MOBILE_APPLICATION_TO_WHITELIST","parameters":[{"name":"MOBILE_APP_PACKAGE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"DISTRIBUTION_ENTITY_NAME","value":"ANY"},{"name":"DISTRIBUTION_ENTITY_TYPE","value":"ORG_UNIT"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_APPROVE","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_BLOCK","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_DELETE","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_WIPE","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_ADMIN_RESTRICTIONS_PIN","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_WIRELESS_NETWORK","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_WIRELESS_NETWORK_NAME","value":"network"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"ADD_MOBILE_WIRELESS_NETWORK","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_WIRELESS_NETWORK_NAME","value":"network"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"REMOVE_MOBILE_WIRELESS_NETWORK","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_WIRELESS_NETWORK_NAME","value":"network"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_WIRELESS_NETWORK_PASSWORD","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_WIRELESS_NETWORK_NAME","value":"network"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"REMOVE_MOBILE_CERTIFICATE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_CERTIFICATE_COMMON_NAME","value":"cert"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"ENROLL_FOR_GOOGLE_DEVICE_MANAGEMENT"}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"USE_GOOGLE_MOBILE_MANAGEMENT"}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"USE_GOOGLE_MOBILE_MANAGEMENT_FOR_NON_IOS"}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"USE_GOOGLE_MOBILE_MANAGEMENT_FOR_IOS"}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_ACCOUNT_WIPE","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_CANCEL_WIPE_THEN_APPROVE","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_CANCEL_WIPE_THEN_BLOCK","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log-expected.json deleted file mode 100644 index 2dbefb68450c..000000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log-expected.json +++ /dev/null @@ -1,1688 +0,0 @@ -[ - { - "event.action": "ACTION_CANCELLED", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ACTION_CANCELLED\",\"parameters\":[{\"name\":\"ACTION_ID\",\"value\":\"id\"},{\"name\":\"ACTION_TYPE\",\"value\":\"ACCOUNT_WIPE\"},{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "info", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.device.id": "id", - "gsuite.admin.device.type": "type", - "gsuite.admin.mobile.action.id": "id", - "gsuite.admin.mobile.action.type": "ACCOUNT_WIPE", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "MOBILE_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 0, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "ACTION_REQUESTED", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ACTION_REQUESTED\",\"parameters\":[{\"name\":\"ACTION_ID\",\"value\":\"id\"},{\"name\":\"ACTION_TYPE\",\"value\":\"ACCOUNT_WIPE\"},{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "info", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.device.id": "id", - "gsuite.admin.device.type": "type", - "gsuite.admin.mobile.action.id": "id", - "gsuite.admin.mobile.action.type": "ACCOUNT_WIPE", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "MOBILE_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 534, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "ADD_MOBILE_CERTIFICATE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ADD_MOBILE_CERTIFICATE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_CERTIFICATE_COMMON_NAME\",\"value\":\"name\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.mobile.certificate.name": "name", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "MOBILE_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1068, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "COMPANY_DEVICES_BULK_CREATION", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_DEVICES_BULK_CREATION\",\"parameters\":[{\"name\":\"NUMBER_OF_COMPANY_OWNED_DEVICES\",\"intValue\":10}]}}", - "event.provider": "admin", - "event.type": [ - "creation" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.mobile.company_owned_devices": 10, - "gsuite.event.type": "MOBILE_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1548, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "COMPANY_OWNED_DEVICE_BLOCKED", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_OWNED_DEVICE_BLOCKED\",\"parameters\":[{\"name\":\"COMPANY_DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.device.id": "id", - "gsuite.admin.device.type": "type", - "gsuite.event.type": "MOBILE_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1951, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "COMPANY_DEVICE_DELETION", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_DEVICE_DELETION\",\"parameters\":[{\"name\":\"COMPANY_DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", - "event.provider": "admin", - "event.type": [ - "deletion" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.device.id": "id", - "gsuite.admin.device.type": "type", - "gsuite.event.type": "MOBILE_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2376, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "COMPANY_OWNED_DEVICE_UNBLOCKED", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_OWNED_DEVICE_UNBLOCKED\",\"parameters\":[{\"name\":\"COMPANY_DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.device.id": "id", - "gsuite.admin.device.type": "type", - "gsuite.event.type": "MOBILE_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2796, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "COMPANY_OWNED_DEVICE_WIPED", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_OWNED_DEVICE_WIPED\",\"parameters\":[{\"name\":\"COMPANY_DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.device.id": "id", - "gsuite.admin.device.type": "type", - "gsuite.event.type": "MOBILE_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 3223, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_MOBILE_APPLICATION_PERMISSION_GRANT", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_APPLICATION_PERMISSION_GRANT\",\"parameters\":[{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"DISTRIBUTION_ENTITY_NAME\",\"value\":\"ANY\"},{\"name\":\"DISTRIBUTION_ENTITY_TYPE\",\"value\":\"GROUP\"},{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"NEW_PERMISSION_GRANT_STATE\",\"value\":\"GRANTED\"},{\"name\":\"OLD_PERMISSION_GRANT_STATE\",\"value\":\"DENIED\"},{\"name\":\"PERMISSION_GROUP_NAME\",\"value\":\"LOCATION\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.application.package_id": "id", - "gsuite.admin.device.type": "type", - "gsuite.admin.distribution.entity.name": "ANY", - "gsuite.admin.distribution.entity.type": "GROUP", - "gsuite.admin.new_value": "GRANTED", - "gsuite.admin.old_value": "DENIED", - "gsuite.admin.setting.name": "LOCATION", - "gsuite.event.type": "MOBILE_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 3646, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_MOBILE_APPLICATION_PRIORITY_ORDER", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_APPLICATION_PRIORITY_ORDER\",\"parameters\":[{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.application.package_id": "id", - "gsuite.admin.device.type": "type", - "gsuite.event.type": "MOBILE_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 4354, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "REMOVE_MOBILE_APPLICATION_FROM_WHITELIST", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"REMOVE_MOBILE_APPLICATION_FROM_WHITELIST\",\"parameters\":[{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"DISTRIBUTION_ENTITY_NAME\",\"value\":\"ANY\"},{\"name\":\"DISTRIBUTION_ENTITY_TYPE\",\"value\":\"ORG_UNIT\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.application.package_id": "id", - "gsuite.admin.device.type": "type", - "gsuite.admin.distribution.entity.name": "ANY", - "gsuite.admin.distribution.entity.type": "ORG_UNIT", - "gsuite.event.type": "MOBILE_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 4795, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_MOBILE_APPLICATION_SETTINGS", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_APPLICATION_SETTINGS\",\"parameters\":[{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"DISTRIBUTION_ENTITY_NAME\",\"value\":\"ANY\"},{\"name\":\"DISTRIBUTION_ENTITY_TYPE\",\"value\":\"ORG_UNIT\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.application.package_id": "id", - "gsuite.admin.device.type": "type", - "gsuite.admin.distribution.entity.name": "ANY", - "gsuite.admin.distribution.entity.type": "ORG_UNIT", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "MOBILE_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 5341, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "ADD_MOBILE_APPLICATION_TO_WHITELIST", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ADD_MOBILE_APPLICATION_TO_WHITELIST\",\"parameters\":[{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"DISTRIBUTION_ENTITY_NAME\",\"value\":\"ANY\"},{\"name\":\"DISTRIBUTION_ENTITY_TYPE\",\"value\":\"ORG_UNIT\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.application.package_id": "id", - "gsuite.admin.device.type": "type", - "gsuite.admin.distribution.entity.name": "ANY", - "gsuite.admin.distribution.entity.type": "ORG_UNIT", - "gsuite.event.type": "MOBILE_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 5993, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "MOBILE_DEVICE_APPROVE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_APPROVE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.device.id": "id", - "gsuite.admin.device.type": "type", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "MOBILE_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 6534, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "MOBILE_DEVICE_BLOCK", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_BLOCK\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.device.id": "id", - "gsuite.admin.device.type": "type", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "MOBILE_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 6993, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "MOBILE_DEVICE_DELETE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_DELETE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "deletion", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.device.id": "id", - "gsuite.admin.device.type": "type", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "MOBILE_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 7450, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "MOBILE_DEVICE_WIPE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_WIPE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.device.id": "id", - "gsuite.admin.device.type": "type", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "MOBILE_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 7908, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "CHANGE_MOBILE_SETTING", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "MOBILE_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 8364, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_ADMIN_RESTRICTIONS_PIN", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_ADMIN_RESTRICTIONS_PIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "MOBILE_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 8898, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_MOBILE_WIRELESS_NETWORK", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_WIRELESS_NETWORK\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_WIRELESS_NETWORK_NAME\",\"value\":\"network\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "MOBILE_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 9328, - "network.name": "network", - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "ADD_MOBILE_WIRELESS_NETWORK", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ADD_MOBILE_WIRELESS_NETWORK\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_WIRELESS_NETWORK_NAME\",\"value\":\"network\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "MOBILE_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 9817, - "network.name": "network", - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "REMOVE_MOBILE_WIRELESS_NETWORK", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"REMOVE_MOBILE_WIRELESS_NETWORK\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_WIRELESS_NETWORK_NAME\",\"value\":\"network\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "MOBILE_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 10303, - "network.name": "network", - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_MOBILE_WIRELESS_NETWORK_PASSWORD", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_WIRELESS_NETWORK_PASSWORD\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_WIRELESS_NETWORK_NAME\",\"value\":\"network\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "MOBILE_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 10792, - "network.name": "network", - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "REMOVE_MOBILE_CERTIFICATE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"REMOVE_MOBILE_CERTIFICATE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_CERTIFICATE_COMMON_NAME\",\"value\":\"cert\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.mobile.certificate.name": "cert", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "MOBILE_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 11290, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "ENROLL_FOR_GOOGLE_DEVICE_MANAGEMENT", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ENROLL_FOR_GOOGLE_DEVICE_MANAGEMENT\"}}", - "event.provider": "admin", - "event.type": [ - "info" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.event.type": "MOBILE_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 11773, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "USE_GOOGLE_MOBILE_MANAGEMENT", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"USE_GOOGLE_MOBILE_MANAGEMENT\"}}", - "event.provider": "admin", - "event.type": [ - "info" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.event.type": "MOBILE_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 12110, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "USE_GOOGLE_MOBILE_MANAGEMENT_FOR_NON_IOS", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"USE_GOOGLE_MOBILE_MANAGEMENT_FOR_NON_IOS\"}}", - "event.provider": "admin", - "event.type": [ - "info" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.event.type": "MOBILE_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 12440, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "USE_GOOGLE_MOBILE_MANAGEMENT_FOR_IOS", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"USE_GOOGLE_MOBILE_MANAGEMENT_FOR_IOS\"}}", - "event.provider": "admin", - "event.type": [ - "info" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.event.type": "MOBILE_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 12782, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "MOBILE_ACCOUNT_WIPE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_ACCOUNT_WIPE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.device.id": "id", - "gsuite.admin.device.type": "type", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "MOBILE_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 13120, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "MOBILE_DEVICE_CANCEL_WIPE_THEN_APPROVE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_CANCEL_WIPE_THEN_APPROVE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.device.id": "id", - "gsuite.admin.device.type": "type", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "MOBILE_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 13577, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "MOBILE_DEVICE_CANCEL_WIPE_THEN_BLOCK", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_CANCEL_WIPE_THEN_BLOCK\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.device.id": "id", - "gsuite.admin.device.type": "type", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "MOBILE_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 14053, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log deleted file mode 100644 index 3ad1efedd6aa..000000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log +++ /dev/null @@ -1,17 +0,0 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CHROME_LICENSES_ENABLED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"CHROME_LICENSES_ENABLED","value":"DISABLED"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CHROME_APPLICATION_LICENSE_RESERVATION_CREATED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SKU_NAME","value":"sku"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CHROME_APPLICATION_LICENSE_RESERVATION_DELETED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SKU_NAME","value":"sku"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CHROME_APPLICATION_LICENSE_RESERVATION_UPDATED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SKU_NAME","value":"sku"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CREATE_DEVICE_ENROLLMENT_TOKEN","parameters":[{"name":"FULL_ORG_UNIT_PATH","value":"full/org/path"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"ASSIGN_CUSTOM_LOGO","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"UNASSIGN_CUSTOM_LOGO","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CREATE_ENROLLMENT_TOKEN","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"REVOKE_ENROLLMENT_TOKEN","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CHROME_LICENSES_ALLOWED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"CHROME_LICENSES_ALLOWED","value":"EMPTY"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CREATE_ORG_UNIT","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"REMOVE_ORG_UNIT","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"EDIT_ORG_UNIT_DESCRIPTION","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"MOVE_ORG_UNIT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"EDIT_ORG_UNIT_NAME","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"REVOKE_DEVICE_ENROLLMENT_TOKEN","parameters":[{"name":"FULL_ORG_UNIT_PATH","value":"full/org/path"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"TOGGLE_SERVICE_ENABLED","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SERVICE_NAME","value":"new"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log-expected.json deleted file mode 100644 index 854d75f96fdf..000000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log-expected.json +++ /dev/null @@ -1,890 +0,0 @@ -[ - { - "event.action": "CHROME_LICENSES_ENABLED", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_LICENSES_ENABLED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"CHROME_LICENSES_ENABLED\",\"value\":\"DISABLED\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.application.name": "app", - "gsuite.admin.chrome_licenses.enabled": "DISABLED", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "ORG_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 0, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHROME_APPLICATION_LICENSE_RESERVATION_CREATED", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_APPLICATION_LICENSE_RESERVATION_CREATED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SKU_NAME\",\"value\":\"sku\"}]}}", - "event.provider": "admin", - "event.type": [ - "creation" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.application.name": "app", - "gsuite.admin.new_value": "new", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.product.sku": "sku", - "gsuite.event.type": "ORG_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 472, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHROME_APPLICATION_LICENSE_RESERVATION_DELETED", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_APPLICATION_LICENSE_RESERVATION_DELETED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SKU_NAME\",\"value\":\"sku\"}]}}", - "event.provider": "admin", - "event.type": [ - "deletion" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.application.name": "app", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.product.sku": "sku", - "gsuite.event.type": "ORG_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 982, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHROME_APPLICATION_LICENSE_RESERVATION_UPDATED", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_APPLICATION_LICENSE_RESERVATION_UPDATED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SKU_NAME\",\"value\":\"sku\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.application.name": "app", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.product.sku": "sku", - "gsuite.event.type": "ORG_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1457, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CREATE_DEVICE_ENROLLMENT_TOKEN", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CREATE_DEVICE_ENROLLMENT_TOKEN\",\"parameters\":[{\"name\":\"FULL_ORG_UNIT_PATH\",\"value\":\"full/org/path\"}]}}", - "event.provider": "admin", - "event.type": [ - "creation" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.org_unit.full": "full/org/path", - "gsuite.event.type": "ORG_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2002, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "ASSIGN_CUSTOM_LOGO", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"ASSIGN_CUSTOM_LOGO\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "ORG_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2400, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "UNASSIGN_CUSTOM_LOGO", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"UNASSIGN_CUSTOM_LOGO\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "ORG_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2771, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CREATE_ENROLLMENT_TOKEN", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CREATE_ENROLLMENT_TOKEN\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "creation" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "ORG_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 3144, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "REVOKE_ENROLLMENT_TOKEN", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"REVOKE_ENROLLMENT_TOKEN\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "ORG_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 3520, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHROME_LICENSES_ALLOWED", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_LICENSES_ALLOWED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"CHROME_LICENSES_ALLOWED\",\"value\":\"EMPTY\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.application.name": "app", - "gsuite.admin.chrome_licenses.allowed": "EMPTY", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "ORG_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 3896, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CREATE_ORG_UNIT", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CREATE_ORG_UNIT\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "creation" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "ORG_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 4365, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "REMOVE_ORG_UNIT", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"REMOVE_ORG_UNIT\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "deletion" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "ORG_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 4733, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "EDIT_ORG_UNIT_DESCRIPTION", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"EDIT_ORG_UNIT_DESCRIPTION\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "ORG_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 5101, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "MOVE_ORG_UNIT", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"MOVE_ORG_UNIT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "ORG_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 5479, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "EDIT_ORG_UNIT_NAME", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"EDIT_ORG_UNIT_NAME\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "ORG_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 5880, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "REVOKE_DEVICE_ENROLLMENT_TOKEN", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"REVOKE_DEVICE_ENROLLMENT_TOKEN\",\"parameters\":[{\"name\":\"FULL_ORG_UNIT_PATH\",\"value\":\"full/org/path\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.org_unit.full": "full/org/path", - "gsuite.event.type": "ORG_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 6286, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "TOGGLE_SERVICE_ENABLED", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"TOGGLE_SERVICE_ENABLED\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SERVICE_NAME\",\"value\":\"new\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.service.name": "new", - "gsuite.event.type": "ORG_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 6684, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log deleted file mode 100644 index 1035f42a2fbe..000000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log +++ /dev/null @@ -1,24 +0,0 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"ALLOW_STRONG_AUTHENTICATION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"ALLOW_SERVICE_FOR_OAUTH2_ACCESS","parameters":[{"name":"OAUTH2_SERVICE_NAME","value":"APPS_SCRIPT"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"DISALLOW_SERVICE_FOR_OAUTH2_ACCESS","parameters":[{"name":"OAUTH2_SERVICE_NAME","value":"APPS_SCRIPT"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"},{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"ADD_TO_TRUSTED_OAUTH2_APPS","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"OAUTH2_APP_ID","value":"id"},{"name":"OAUTH2_APP_NAME","value":"appname"},{"name":"OAUTH2_APP_TYPE","value":"CHROME_EXTENSION"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"REMOVE_FROM_TRUSTED_OAUTH2_APPS","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"OAUTH2_APP_ID","value":"id"},{"name":"OAUTH2_APP_NAME","value":"appname"},{"name":"OAUTH2_APP_TYPE","value":"CHROME_EXTENSION"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"BLOCK_ON_DEVICE_ACCESS","parameters":[{"name":"OAUTH2_SERVICE_NAME","value":"APPS_SCRIPT"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_TWO_STEP_VERIFICATION_FREQUENCY","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_TWO_STEP_VERIFICATION_START_DATE","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"ALLOWED_TWO_STEP_VERIFICATION_METHOD","value":"ONLY_SECURITY_KEY"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"TOGGLE_CAA_ENABLEMENT","parameters":[{"name":"NEW_VALUE","value":"new"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_CAA_ERROR_MESSAGE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_CAA_APP_ASSIGNMENTS","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"CAA_ASSIGNMENTS_NEW","value":"new"},{"name":"CAA_ASSIGNMENTS_OLD","value":"old"},{"name":"GROUP_NAME","value":"group"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"UNTRUST_DOMAIN_OWNED_OAUTH2_APPS","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"TRUST_DOMAIN_OWNED_OAUTH2_APPS","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"ENFORCE_STRONG_AUTHENTICATION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"SESSION_CONTROL_SETTINGS_CHANGE","parameters":[{"name":"REAUTH_APPLICATION","value":"ADMIN_CONSOLE"},{"name":"REAUTH_SETTING_NEW","value":"INHERIT"},{"name":"REAUTH_SETTING_OLD","value":"NEVER"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_SESSION_LENGTH","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"UNBLOCK_ON_DEVICE_ACCESS","parameters":[{"name":"OAUTH2_SERVICE_NAME","value":"CALENDAR"},{"name":"ORG_UNIT_NAME","value":"org"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log-expected.json deleted file mode 100644 index b55578f2e10a..000000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log-expected.json +++ /dev/null @@ -1,1309 +0,0 @@ -[ - { - "event.action": "ALLOW_STRONG_AUTHENTICATION", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ALLOW_STRONG_AUTHENTICATION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "SECURITY_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 0, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "ALLOW_SERVICE_FOR_OAUTH2_ACCESS", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ALLOW_SERVICE_FOR_OAUTH2_ACCESS\",\"parameters\":[{\"name\":\"OAUTH2_SERVICE_NAME\",\"value\":\"APPS_SCRIPT\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.oauth2.service.name": "APPS_SCRIPT", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "SECURITY_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 461, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "DISALLOW_SERVICE_FOR_OAUTH2_ACCESS", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"DISALLOW_SERVICE_FOR_OAUTH2_ACCESS\",\"parameters\":[{\"name\":\"OAUTH2_SERVICE_NAME\",\"value\":\"APPS_SCRIPT\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.oauth2.service.name": "APPS_SCRIPT", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "SECURITY_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 903, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "SECURITY_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1348, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "ADD_TO_TRUSTED_OAUTH2_APPS", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ADD_TO_TRUSTED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"OAUTH2_APP_ID\",\"value\":\"id\"},{\"name\":\"OAUTH2_APP_NAME\",\"value\":\"appname\"},{\"name\":\"OAUTH2_APP_TYPE\",\"value\":\"CHROME_EXTENSION\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.oauth2.application.id": "id", - "gsuite.admin.oauth2.application.name": "appname", - "gsuite.admin.oauth2.application.type": "CHROME_EXTENSION", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "SECURITY_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1903, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "REMOVE_FROM_TRUSTED_OAUTH2_APPS", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"REMOVE_FROM_TRUSTED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"OAUTH2_APP_ID\",\"value\":\"id\"},{\"name\":\"OAUTH2_APP_NAME\",\"value\":\"appname\"},{\"name\":\"OAUTH2_APP_TYPE\",\"value\":\"CHROME_EXTENSION\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.oauth2.application.id": "id", - "gsuite.admin.oauth2.application.name": "appname", - "gsuite.admin.oauth2.application.type": "CHROME_EXTENSION", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "SECURITY_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2424, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "BLOCK_ON_DEVICE_ACCESS", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"BLOCK_ON_DEVICE_ACCESS\",\"parameters\":[{\"name\":\"OAUTH2_SERVICE_NAME\",\"value\":\"APPS_SCRIPT\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.oauth2.service.name": "APPS_SCRIPT", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "SECURITY_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2950, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "SECURITY_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 3383, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_TWO_STEP_VERIFICATION_FREQUENCY", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_FREQUENCY\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "SECURITY_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 3917, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "SECURITY_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 4434, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_TWO_STEP_VERIFICATION_START_DATE", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_START_DATE\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "SECURITY_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 4963, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"ALLOWED_TWO_STEP_VERIFICATION_METHOD\",\"value\":\"ONLY_SECURITY_KEY\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.verification_method": "ONLY_SECURITY_KEY", - "gsuite.event.type": "SECURITY_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 5481, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "TOGGLE_CAA_ENABLEMENT", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"TOGGLE_CAA_ENABLEMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.event.type": "SECURITY_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 6010, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_CAA_ERROR_MESSAGE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_CAA_ERROR_MESSAGE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "SECURITY_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 6385, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_CAA_APP_ASSIGNMENTS", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_CAA_APP_ASSIGNMENTS\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"CAA_ASSIGNMENTS_NEW\",\"value\":\"new\"},{\"name\":\"CAA_ASSIGNMENTS_OLD\",\"value\":\"old\"},{\"name\":\"GROUP_NAME\",\"value\":\"group\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.application.name": "app", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "SECURITY_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 6802, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "UNTRUST_DOMAIN_OWNED_OAUTH2_APPS", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"UNTRUST_DOMAIN_OWNED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "SECURITY_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 7356, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "TRUST_DOMAIN_OWNED_OAUTH2_APPS", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"TRUST_DOMAIN_OWNED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "SECURITY_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 7746, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "SECURITY_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 8134, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "ENFORCE_STRONG_AUTHENTICATION", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ENFORCE_STRONG_AUTHENTICATION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "SECURITY_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 8652, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "SECURITY_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 9247, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "SECURITY_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 9718, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "SESSION_CONTROL_SETTINGS_CHANGE", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"SESSION_CONTROL_SETTINGS_CHANGE\",\"parameters\":[{\"name\":\"REAUTH_APPLICATION\",\"value\":\"ADMIN_CONSOLE\"},{\"name\":\"REAUTH_SETTING_NEW\",\"value\":\"INHERIT\"},{\"name\":\"REAUTH_SETTING_OLD\",\"value\":\"NEVER\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.application.name": "ADMIN_CONSOLE", - "gsuite.admin.new_value": "INHERIT", - "gsuite.admin.old_value": "NEVER", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "SECURITY_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 10237, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_SESSION_LENGTH", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_SESSION_LENGTH\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "SECURITY_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 10774, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "UNBLOCK_ON_DEVICE_ACCESS", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"UNBLOCK_ON_DEVICE_ACCESS\",\"parameters\":[{\"name\":\"OAUTH2_SERVICE_NAME\",\"value\":\"CALENDAR\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.oauth2.service.name": "CALENDAR", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "SECURITY_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 11184, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log deleted file mode 100644 index ff07d024c4c5..000000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log +++ /dev/null @@ -1,5 +0,0 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SITES_SETTINGS","name":"ADD_WEB_ADDRESS","parameters":[{"name":"SITE_LOCATION","value":"/path/in/url"},{"name":"WEB_ADDRESS","value":"http://example.com/path/in/url"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SITES_SETTINGS","name":"DELETE_WEB_ADDRESS","parameters":[{"name":"SITE_LOCATION","value":"/path/in/url"},{"name":"WEB_ADDRESS","value":"http://example.com/path/in/url"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SITES_SETTINGS","name":"CHANGE_SITES_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SITES_SETTINGS","name":"CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES","parameters":[{"name":"SERVICE_NAME","value":"service"},{"name":"SITE_LOCATION","value":"/path/in/url"},{"name":"WEB_ADDRESS","value":"http://example.com/path/in/url"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SITES_SETTINGS","name":"VIEW_SITE_DETAILS","parameters":[{"name":"SITE_NAME","value":"site"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log-expected.json deleted file mode 100644 index 75de8c3c13c5..000000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log-expected.json +++ /dev/null @@ -1,275 +0,0 @@ -[ - { - "event.action": "ADD_WEB_ADDRESS", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"ADD_WEB_ADDRESS\",\"parameters\":[{\"name\":\"SITE_LOCATION\",\"value\":\"/path/in/url\"},{\"name\":\"WEB_ADDRESS\",\"value\":\"http://example.com/path/in/url\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "creation" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "SITES_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 0, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "url.full": "http://example.com/path/in/url", - "url.path": "/path/in/url", - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "DELETE_WEB_ADDRESS", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"DELETE_WEB_ADDRESS\",\"parameters\":[{\"name\":\"SITE_LOCATION\",\"value\":\"/path/in/url\"},{\"name\":\"WEB_ADDRESS\",\"value\":\"http://example.com/path/in/url\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "deletion" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "SITES_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 594, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "url.full": "http://example.com/path/in/url", - "url.path": "/path/in/url", - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_SITES_SETTING", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"CHANGE_SITES_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "SITES_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1191, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES\",\"parameters\":[{\"name\":\"SERVICE_NAME\",\"value\":\"service\"},{\"name\":\"SITE_LOCATION\",\"value\":\"/path/in/url\"},{\"name\":\"WEB_ADDRESS\",\"value\":\"http://example.com/path/in/url\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.service.name": "service", - "gsuite.event.type": "SITES_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1723, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "url.full": "http://example.com/path/in/url", - "url.path": "/path/in/url", - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "VIEW_SITE_DETAILS", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"VIEW_SITE_DETAILS\",\"parameters\":[{\"name\":\"SITE_NAME\",\"value\":\"site\"}]}}", - "event.provider": "admin", - "event.type": [ - "info" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.url.name": "site", - "gsuite.event.type": "SITES_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2233, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log deleted file mode 100644 index bed874fc9a42..000000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log +++ /dev/null @@ -1,74 +0,0 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DELETE_2SV_SCRATCH_CODES","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"GENERATE_2SV_SCRATCH_CODES","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REVOKE_3LO_DEVICE_TOKENS","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REVOKE_3LO_TOKEN","parameters":[{"name":"APP_ID","value":"id"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"ADD_RECOVERY_EMAIL","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"ADD_RECOVERY_PHONE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"GRANT_ADMIN_PRIVILEGE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REVOKE_ADMIN_PRIVILEGE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REVOKE_ASP","parameters":[{"name":"ASP_ID","value":"id"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"TOGGLE_AUTOMATIC_CONTACT_SHARING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"BULK_UPLOAD","parameters":[{"name":"BULK_UPLOAD_FAIL_USERS_NUMBER","value":"1"},{"name":"BULK_UPLOAD_TOTAL_USERS_NUMBER","value":"10"},{"name":"DOMAIN_NAME","value":"example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"BULK_UPLOAD_NOTIFICATION_SENT","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"DOMAIN_NAME","value":"example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CANCEL_USER_INVITE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"DOMAIN_NAME","value":"example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_CUSTOM_FIELD","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_CUSTOM_FIELD","value":"custom"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_EXTERNAL_ID","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_GENDER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_IM","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"ENABLE_USER_IP_WHITELIST","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_KEYWORD","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_LANGUAGE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_LOCATION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_ORGANIZATION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_PHONE_NUMBER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_RECOVERY_EMAIL","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_RECOVERY_PHONE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_RELATION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_ADDRESS","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CREATE_EMAIL_MONITOR","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"BEGIN_DATE_TIME","value":"2002-10-02T15:00:00Z"},{"name":"EMAIL_MONITOR_DEST_EMAIL","value":"dest@example.com"},{"name":"EMAIL_MONITOR_LEVEL_CHAT","value":"info"},{"name":"EMAIL_MONITOR_LEVEL_DRAFT_EMAIL","value":"info"},{"name":"EMAIL_MONITOR_LEVEL_INCOMING_EMAIL","value":"info"},{"name":"EMAIL_MONITOR_LEVEL_OUTGOING_EMAIL","value":"info"},{"name":"END_DATE_TIME","value":"2002-10-02T16:00:00Z"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CREATE_DATA_TRANSFER_REQUEST","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"DESTINATION_USER_EMAIL","value":"dest@example.com"},{"name":"APPLICATION_NAME","value":"a,b,c"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"GRANT_DELEGATED_ADMIN_PRIVILEGES","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DELETE_ACCOUNT_INFO_DUMP","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"REQUEST_ID","value":"id"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DELETE_EMAIL_MONITOR","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"EMAIL_MONITOR_DEST_EMAIL","value":"dest@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DELETE_MAILBOX_DUMP","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"REQUEST_ID","value":"id"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_FIRST_NAME","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"GMAIL_RESET_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"GMAIL_RESET_REASON","value":"reason"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_LAST_NAME","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"MAIL_ROUTING_DESTINATION_ADDED","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"MAIL_ROUTING_DESTINATION_REMOVED","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"ADD_NICKNAME","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"USER_NICKNAME","value":"nick"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REMOVE_NICKNAME","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"USER_NICKNAME","value":"nick"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_PASSWORD","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_PASSWORD_ON_NEXT_LOGIN","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DOWNLOAD_PENDING_INVITES_LIST"}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REMOVE_RECOVERY_EMAIL","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REMOVE_RECOVERY_PHONE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REQUEST_ACCOUNT_INFO","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REQUEST_MAILBOX_DUMP","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"BEGIN_DATE_TIME","value":"2002-10-02T15:00:00Z"},{"name":"EMAIL_EXPORT_INCLUDE_DELETED","value":"true"},{"name":"EMAIL_EXPORT_PACKAGE_CONTENT","value":"contents"},{"name":"SEARCH_QUERY_FOR_DUMP","value":"foo bar"},{"name":"END_DATE_TIME","value":"2002-10-02T16:00:00Z"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"RESEND_USER_INVITE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"RESET_SIGNIN_COOKIES","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"SECURITY_KEY_REGISTERED_FOR_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REVOKE_SECURITY_KEY","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"USER_INVITE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"VIEW_TEMP_PASSWORD","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"TURN_OFF_2_STEP_VERIFICATION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UNBLOCK_USER_SESSION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UNENROLL_USER_FROM_TITANIUM","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"ARCHIVE_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UPDATE_BIRTHDATE","parameters":[{"name":"BIRTHDATE","value":"2002-10-02T15:00:00Z"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CREATE_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DELETE_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DOWNGRADE_USER_FROM_GPLUS","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"USER_ENROLLED_IN_TWO_STEP_VERIFICATION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DOWNLOAD_USERLIST_CSV"}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"MOVE_USER_TO_ORG_UNIT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"RENAME_USER","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UNENROLL_USER_FROM_STRONG_AUTH","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"SUSPEND_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UNARCHIVE_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UNDELETE_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UNSUSPEND_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UPGRADE_USER_TO_GPLUS","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"USERS_BULK_UPLOAD","parameters":[{"name":"BULK_UPLOAD_FAIL_USERS_NUMBER","value":"0"},{"name":"BULK_UPLOAD_TOTAL_USERS_NUMBER","value":"10"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"USERS_BULK_UPLOAD_NOTIFICATION_SENT","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log-expected.json deleted file mode 100644 index dc713f9ae923..000000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log-expected.json +++ /dev/null @@ -1,4198 +0,0 @@ -[ - { - "event.action": "DELETE_2SV_SCRATCH_CODES", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_2SV_SCRATCH_CODES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "deletion", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 0, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "GENERATE_2SV_SCRATCH_CODES", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"GENERATE_2SV_SCRATCH_CODES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "creation", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 388, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "REVOKE_3LO_DEVICE_TOKENS", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_3LO_DEVICE_TOKENS\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.device.id": "id", - "gsuite.admin.device.type": "type", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 778, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "REVOKE_3LO_TOKEN", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_3LO_TOKEN\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"id\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.application.id": "id", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1238, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "ADD_RECOVERY_EMAIL", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ADD_RECOVERY_EMAIL\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1649, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "ADD_RECOVERY_PHONE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ADD_RECOVERY_PHONE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2031, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "GRANT_ADMIN_PRIVILEGE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"GRANT_ADMIN_PRIVILEGE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2413, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "REVOKE_ADMIN_PRIVILEGE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_ADMIN_PRIVILEGE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2798, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "REVOKE_ASP", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_ASP\",\"parameters\":[{\"name\":\"ASP_ID\",\"value\":\"id\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.application.asp_id": "id", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 3184, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "TOGGLE_AUTOMATIC_CONTACT_SHARING", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"TOGGLE_AUTOMATIC_CONTACT_SHARING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 3589, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "BULK_UPLOAD", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"BULK_UPLOAD\",\"parameters\":[{\"name\":\"BULK_UPLOAD_FAIL_USERS_NUMBER\",\"value\":\"1\"},{\"name\":\"BULK_UPLOAD_TOTAL_USERS_NUMBER\",\"value\":\"10\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "info" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.bulk_upload.failed": 1, - "gsuite.admin.bulk_upload.total": 10, - "gsuite.admin.domain.name": "example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 4020, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "BULK_UPLOAD_NOTIFICATION_SENT", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"BULK_UPLOAD_NOTIFICATION_SENT\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "info", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 4499, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "CANCEL_USER_INVITE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CANCEL_USER_INVITE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 4937, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "CHANGE_USER_CUSTOM_FIELD", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_CUSTOM_FIELD\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_CUSTOM_FIELD\",\"value\":\"custom\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.setting.name": "custom", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 5364, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "CHANGE_USER_EXTERNAL_ID", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_EXTERNAL_ID\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 5868, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "CHANGE_USER_GENDER", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_GENDER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 6325, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "CHANGE_USER_IM", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_IM\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 6777, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "ENABLE_USER_IP_WHITELIST", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ENABLE_USER_IP_WHITELIST\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 7225, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "CHANGE_USER_KEYWORD", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_KEYWORD\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 7683, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "CHANGE_USER_LANGUAGE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_LANGUAGE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 8136, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "CHANGE_USER_LOCATION", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_LOCATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 8590, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "CHANGE_USER_ORGANIZATION", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_ORGANIZATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 9044, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "CHANGE_USER_PHONE_NUMBER", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_PHONE_NUMBER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 9502, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "CHANGE_RECOVERY_EMAIL", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_RECOVERY_EMAIL\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 9960, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "CHANGE_RECOVERY_PHONE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_RECOVERY_PHONE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 10345, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "CHANGE_USER_RELATION", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_RELATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 10730, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "CHANGE_USER_ADDRESS", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_ADDRESS\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 11184, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "CREATE_EMAIL_MONITOR", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.duration": 3600000000000, - "event.end": "2002-10-02T16:00:00.000Z", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CREATE_EMAIL_MONITOR\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"BEGIN_DATE_TIME\",\"value\":\"2002-10-02T15:00:00Z\"},{\"name\":\"EMAIL_MONITOR_DEST_EMAIL\",\"value\":\"dest@example.com\"},{\"name\":\"EMAIL_MONITOR_LEVEL_CHAT\",\"value\":\"info\"},{\"name\":\"EMAIL_MONITOR_LEVEL_DRAFT_EMAIL\",\"value\":\"info\"},{\"name\":\"EMAIL_MONITOR_LEVEL_INCOMING_EMAIL\",\"value\":\"info\"},{\"name\":\"EMAIL_MONITOR_LEVEL_OUTGOING_EMAIL\",\"value\":\"info\"},{\"name\":\"END_DATE_TIME\",\"value\":\"2002-10-02T16:00:00Z\"}]}}", - "event.provider": "admin", - "event.start": "2002-10-02T15:00:00.000Z", - "event.type": [ - "creation", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.email_monitor.dest_email": "dest@example.com", - "gsuite.admin.email_monitor.level.chat": "info", - "gsuite.admin.email_monitor.level.draft": "info", - "gsuite.admin.email_monitor.level.incoming": "info", - "gsuite.admin.email_monitor.level.outgoing": "info", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 11637, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "CREATE_DATA_TRANSFER_REQUEST", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CREATE_DATA_TRANSFER_REQUEST\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"DESTINATION_USER_EMAIL\",\"value\":\"dest@example.com\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"a,b,c\"}]}}", - "event.provider": "admin", - "event.type": [ - "creation", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.application.name": "a,b,c", - "gsuite.admin.new_value": "dest@example.com", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 12429, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "GRANT_DELEGATED_ADMIN_PRIVILEGES", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"GRANT_DELEGATED_ADMIN_PRIVILEGES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 12926, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "DELETE_ACCOUNT_INFO_DUMP", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_ACCOUNT_INFO_DUMP\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"REQUEST_ID\",\"value\":\"id\"}]}}", - "event.provider": "admin", - "event.type": [ - "deletion", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.request.id": "id", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 13357, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "DELETE_EMAIL_MONITOR", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_EMAIL_MONITOR\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"EMAIL_MONITOR_DEST_EMAIL\",\"value\":\"dest@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "deletion", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.email_monitor.dest_email": "dest@example.com", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 13780, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "DELETE_MAILBOX_DUMP", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_MAILBOX_DUMP\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"REQUEST_ID\",\"value\":\"id\"}]}}", - "event.provider": "admin", - "event.type": [ - "deletion", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.request.id": "id", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 14227, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "CHANGE_FIRST_NAME", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_FIRST_NAME\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 14645, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "GMAIL_RESET_USER", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"GMAIL_RESET_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"GMAIL_RESET_REASON\",\"value\":\"reason\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 15096, - "message": "reason", - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "CHANGE_LAST_NAME", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_LAST_NAME\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 15523, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "MAIL_ROUTING_DESTINATION_ADDED", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"MAIL_ROUTING_DESTINATION_ADDED\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 15973, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "MAIL_ROUTING_DESTINATION_REMOVED", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"MAIL_ROUTING_DESTINATION_REMOVED\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.old_value": "old", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 16402, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "ADD_NICKNAME", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ADD_NICKNAME\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"USER_NICKNAME\",\"value\":\"nick\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.admin.user.nickname": "nick", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 16833, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "REMOVE_NICKNAME", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REMOVE_NICKNAME\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"USER_NICKNAME\",\"value\":\"nick\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.admin.user.nickname": "nick", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 17249, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "CHANGE_PASSWORD", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_PASSWORD\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 17668, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "CHANGE_PASSWORD_ON_NEXT_LOGIN", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_PASSWORD_ON_NEXT_LOGIN\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 18047, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "DOWNLOAD_PENDING_INVITES_LIST", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DOWNLOAD_PENDING_INVITES_LIST\"}}", - "event.provider": "admin", - "event.type": [ - "info" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 18510, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "REMOVE_RECOVERY_EMAIL", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REMOVE_RECOVERY_EMAIL\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 18839, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "REMOVE_RECOVERY_PHONE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REMOVE_RECOVERY_PHONE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 19224, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "REQUEST_ACCOUNT_INFO", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REQUEST_ACCOUNT_INFO\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "info", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 19609, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "REQUEST_MAILBOX_DUMP", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.duration": 3600000000000, - "event.end": "2002-10-02T16:00:00.000Z", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REQUEST_MAILBOX_DUMP\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"BEGIN_DATE_TIME\",\"value\":\"2002-10-02T15:00:00Z\"},{\"name\":\"EMAIL_EXPORT_INCLUDE_DELETED\",\"value\":\"true\"},{\"name\":\"EMAIL_EXPORT_PACKAGE_CONTENT\",\"value\":\"contents\"},{\"name\":\"SEARCH_QUERY_FOR_DUMP\",\"value\":\"foo bar\"},{\"name\":\"END_DATE_TIME\",\"value\":\"2002-10-02T16:00:00Z\"}]}}", - "event.provider": "admin", - "event.start": "2002-10-02T15:00:00.000Z", - "event.type": [ - "info", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.email_dump.include_deleted": "true", - "gsuite.admin.email_dump.package_content": "contents", - "gsuite.admin.email_dump.query": "foo bar", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 19993, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "RESEND_USER_INVITE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"RESEND_USER_INVITE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "info", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 20656, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "RESET_SIGNIN_COOKIES", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"RESET_SIGNIN_COOKIES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 21083, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "SECURITY_KEY_REGISTERED_FOR_USER", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"SECURITY_KEY_REGISTERED_FOR_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 21467, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "REVOKE_SECURITY_KEY", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_SECURITY_KEY\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 21863, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "USER_INVITE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USER_INVITE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "info", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 22246, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "VIEW_TEMP_PASSWORD", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"VIEW_TEMP_PASSWORD\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "info", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain.name": "example.com", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 22666, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "TURN_OFF_2_STEP_VERIFICATION", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"TURN_OFF_2_STEP_VERIFICATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 23093, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "UNBLOCK_USER_SESSION", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNBLOCK_USER_SESSION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 23485, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "UNENROLL_USER_FROM_TITANIUM", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNENROLL_USER_FROM_TITANIUM\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 23869, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "ARCHIVE_USER", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ARCHIVE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 24260, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "UPDATE_BIRTHDATE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UPDATE_BIRTHDATE\",\"parameters\":[{\"name\":\"BIRTHDATE\",\"value\":\"2002-10-02T15:00:00Z\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.birthdate": "2002-10-02T15:00:00.000Z", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 24636, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "CREATE_USER", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CREATE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "creation", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 25068, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "DELETE_USER", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "deletion", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 25443, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "DOWNGRADE_USER_FROM_GPLUS", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DOWNGRADE_USER_FROM_GPLUS\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 25818, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "USER_ENROLLED_IN_TWO_STEP_VERIFICATION", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USER_ENROLLED_IN_TWO_STEP_VERIFICATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 26207, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "DOWNLOAD_USERLIST_CSV", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DOWNLOAD_USERLIST_CSV\"}}", - "event.provider": "admin", - "event.type": [ - "info" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 26609, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "MOVE_USER_TO_ORG_UNIT", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"MOVE_USER_TO_ORG_UNIT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 26930, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 27389, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "RENAME_USER", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"RENAME_USER\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 27834, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "UNENROLL_USER_FROM_STRONG_AUTH", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNENROLL_USER_FROM_STRONG_AUTH\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 28244, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "SUSPEND_USER", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"SUSPEND_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 28638, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "UNARCHIVE_USER", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNARCHIVE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 29014, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "UNDELETE_USER", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNDELETE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "creation", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 29392, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "UNSUSPEND_USER", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNSUSPEND_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 29769, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "UPGRADE_USER_TO_GPLUS", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UPGRADE_USER_TO_GPLUS\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 30147, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - }, - { - "event.action": "USERS_BULK_UPLOAD", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USERS_BULK_UPLOAD\",\"parameters\":[{\"name\":\"BULK_UPLOAD_FAIL_USERS_NUMBER\",\"value\":\"0\"},{\"name\":\"BULK_UPLOAD_TOTAL_USERS_NUMBER\",\"value\":\"10\"}]}}", - "event.provider": "admin", - "event.type": [ - "info" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.bulk_upload.failed": 0, - "gsuite.admin.bulk_upload.total": 10, - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 30532, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "USERS_BULK_UPLOAD_NOTIFICATION_SENT", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USERS_BULK_UPLOAD_NOTIFICATION_SENT\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "info", - "user" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "USER_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 30972, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.name": "user" - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/config/common.js b/x-pack/filebeat/module/gsuite/config/common.js deleted file mode 100644 index 64ce7b0620f6..000000000000 --- a/x-pack/filebeat/module/gsuite/config/common.js +++ /dev/null @@ -1,86 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -var gsuite = (function () { - var processor = require("processor"); - - var decodeJson = new processor.DecodeJSONFields({ - fields: ["message"], - target: "json", - }); - - var parseTimestamp = new processor.Timestamp({ - field: "json.id.time", - timezone: "UTC", - layouts: ["2006-01-02T15:04:05.999Z"], - tests: ["2020-02-05T18:19:23.599Z"], - ignore_missing: true, - }); - - var convertFields = new processor.Convert({ - fields: [ - { from: "message", to: "event.original" }, - { from: "json.events.name", to: "event.action" }, - { from: "json.id.applicationName", to: "event.provider" }, - { from: "json.id.uniqueQualifier", to: "event.id", type: "string" }, - { from: "json.actor.email", to: "source.user.email" }, - { from: "json.actor.profileId", to: "source.user.id", type: "string" }, - { from: "json.ipAddress", to: "source.ip", type: "ip" }, - { from: "json.kind", to: "gsuite.kind" }, - { from: "json.id.customerId", to: "organization.id", type: "string" }, - { from: "json.actor.callerType", to: "gsuite.actor.type" }, - { from: "json.actor.key", to: "gsuite.actor.key" }, - { from: "json.ownerDomain", to: "gsuite.organization.domain" }, - { from: "json.events.type", to: "gsuite.event.type" }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }); - - var completeUserData = function(evt) { - var email = evt.Get("source.user.email"); - if (!email) { - return; - } - - var data = email.split("@"); - if (data.length !== 2) { - return; - } - - evt.Put("user.id", evt.Get("source.user.id")); - evt.Put("user.name", data[0]); - evt.Put("source.user.name", data[0]); - evt.Put("user.domain", data[1]); - evt.Put("source.user.domain", data[1]); - }; - - var copyFields = function(evt) { - var ip = evt.Get("source.ip"); - if (ip) { - evt.Put("related.ip", [ip]); - } - var userName = evt.Get("source.user.name"); - if (userName) { - evt.Put("related.user", [userName]); - } - }; - - var pipeline = new processor.Chain() - .Add(decodeJson) - .Add(parseTimestamp) - .Add(convertFields) - .Add(completeUserData) - .Add(copyFields) - .Build(); - - return { - process: pipeline.Run, - }; -}()); - -function process(evt) { - return gsuite.process(evt); -} diff --git a/x-pack/filebeat/module/gsuite/drive/_meta/fields.yml b/x-pack/filebeat/module/gsuite/drive/_meta/fields.yml deleted file mode 100644 index 9c031b89ce5e..000000000000 --- a/x-pack/filebeat/module/gsuite/drive/_meta/fields.yml +++ /dev/null @@ -1,89 +0,0 @@ -- name: drive - type: group - fields: - - name: billable - type: boolean - description: Whether this activity is billable. - - name: source_folder_id - type: keyword - - name: source_folder_title - type: keyword - - name: destination_folder_id - type: keyword - - name: destination_folder_title - type: keyword - - name: file.id - type: keyword - - name: file.type - type: keyword - description: > - Document Drive type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive - - name: originating_app_id - type: keyword - description: > - The Google Cloud Project ID of the application that performed the action. - - name: file.owner.email - type: keyword - - name: file.owner.is_shared_drive - type: boolean - description: > - Boolean flag denoting whether owner is a shared drive. - - name: primary_event - type: boolean - description: > - Whether this is a primary event. A single user action in Drive may generate several events. - - name: shared_drive_id - type: keyword - description: > - The unique identifier of the Team Drive. Only populated for for events relating to a Team Drive or item contained inside a Team Drive. - - name: visibility - type: keyword - description: > - Visibility of target file. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive - - name: new_value - type: keyword - description: > - When a setting or property of the file changes, the new value for it will appear here. - - name: old_value - type: keyword - description: > - When a setting or property of the file changes, the old value for it will appear here. - - name: sheets_import_range_recipient_doc - type: keyword - description: Doc ID of the recipient of a sheets import range. - - name: old_visibility - type: keyword - description: > - When visibility changes, this holds the old value. - - name: visibility_change - type: keyword - description: > - When visibility changes, this holds the new overall visibility of the file. - - name: target_domain - type: keyword - description: > - The domain for which the acccess scope was changed. This can also be the alias all to indicate the access scope was changed for all domains that have visibility for this document. - - name: added_role - type: keyword - description: > - Added membership role of a user/group in a Team Drive. - For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive - - name: membership_change_type - type: keyword - description: > - Type of change in Team Drive membership of a user/group. - For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive - - name: shared_drive_settings_change_type - type: keyword - description: > - Type of change in Team Drive settings. - For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive - - name: removed_role - type: keyword - description: > - Removed membership role of a user/group in a Team Drive. - For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive - - name: target - type: keyword - description: Target user or group. - diff --git a/x-pack/filebeat/module/gsuite/drive/config/config.yml b/x-pack/filebeat/module/gsuite/drive/config/config.yml deleted file mode 100644 index 1fc56ba1ee50..000000000000 --- a/x-pack/filebeat/module/gsuite/drive/config/config.yml +++ /dev/null @@ -1,54 +0,0 @@ -{{ if eq .input "httpjson" }} -type: httpjson - -url: https://www.googleapis.com/admin/reports/v1/activity/users/{{ .user_key }}/applications/drive -json_objects_array: items -split_events_by: events - -interval: {{ .interval }} - -{{ if .http_client_timeout }} -http_client_timeout: {{ .http_client_timeout }} -{{ end }} - -oauth2.provider: google -oauth2.google.jwt_file: {{ .jwt_file }} -oauth2.google.delegated_account: {{ .delegated_account }} -oauth2.scopes: - - https://www.googleapis.com/auth/admin.reports.audit.readonly - -date_cursor.url_field: startTime -date_cursor.initial_interval: {{ .initial_interval }} - -pagination.id_field: nextPageToken -pagination.url_field: pageToken - -{{ if .proxy_url }} -request.proxy_url: {{ .proxy_url }} -{{ end }} - -{{ else if eq .input "file" }} -type: log -paths: -{{ range $i, $path := .paths }} - - {{$path}} -{{ end }} -exclude_files: [".gz$"] -{{ end }} - -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} - -processors: - - add_fields: - target: '' - fields: - ecs.version: 1.11.0 - - script: - lang: javascript - id: gsuite-common - file: ${path.home}/module/gsuite/config/common.js - - script: - lang: javascript - id: gsuite-drive - file: ${path.home}/module/gsuite/drive/config/pipeline.js diff --git a/x-pack/filebeat/module/gsuite/drive/config/pipeline.js b/x-pack/filebeat/module/gsuite/drive/config/pipeline.js deleted file mode 100644 index 31403a880ae3..000000000000 --- a/x-pack/filebeat/module/gsuite/drive/config/pipeline.js +++ /dev/null @@ -1,191 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -var drive = (function () { - var path = require("path"); - var processor = require("processor"); - - var categorizeEvent = function(evt) { - evt.Put("event.category", ["file"]); - switch (evt.Get("event.action")) { - case "add_to_folder": - case "edit": - case "add_lock": - case "move": - case "remove_from_folder": - case "rename": - case "remove_lock": - case "sheets_import_range": - evt.Put("event.type", ["change"]); - break; - case "approval_canceled": - case "approval_comment_added": - case "approval_requested": - case "approval_reviewer_responded": - case "change_acl_editors": - case "change_document_access_scope": - case "change_document_visibility": - case "shared_drive_membership_change": - case "shared_drive_settings_change": - case "sheets_import_range_access_change": - case "change_user_access": - evt.AppendTo("event.category", "iam"); - evt.AppendTo("event.category", "configuration"); - evt.Put("event.type", ["change"]); - break; - case "create": - case "untrash": - case "upload": - evt.Put("event.type", ["creation"]); - break; - case "delete": - case "trash": - evt.Put("event.type", ["deletion"]); - break; - case "download": - case "preview": - case "print": - case "view": - evt.Put("event.type", ["info"]); - break; - } - }; - - var getParamValue = function(param) { - if (param.value) { - return param.value; - } - if (param.multiValue) { - return param.multiValue; - } - if (param.boolValue !== null) { - return param.boolValue; - } - }; - - var flattenParams = function(evt) { - var params = evt.Get("json.events.parameters"); - if (!params || !Array.isArray(params)) { - return; - } - - params.forEach(function(p){ - evt.Put("gsuite.drive."+p.name, getParamValue(p)); - }); - - evt.Delete("json.events.parameters"); - }; - - var setFileInfo = function(evt) { - var type = evt.Get("gsuite.drive.file.type"); - if (!type) { - return; - } - - switch (type) { - case "folder": - case "shared_drive": - evt.Put("file.type", "dir"); - break; - default: - evt.Put("file.type", "file"); - } - - // path returns extensions with a preceding ., e.g.: .tmp, .png - // according to ecs the expected format is without it, so we need to remove it. - var ext = path.extname(evt.Get("file.name")); - if (!ext) { - return; - } - - if (ext.charAt(0) === ".") { - ext = ext.substr(1); - } - evt.Put("file.extension", ext); - }; - - var setOwnerInfo = function(evt) { - var email = evt.Get("gsuite.drive.file.owner.email"); - if (!email) { - return; - } - - var data = email.split("@"); - if (data.length !== 2) { - return; - } - - evt.Put("file.owner", data[0]); - evt.AppendTo("related.user", data[0]); - }; - - var setTargetRelatedUser = function(evt) { - var email = evt.Get("gsuite.drive.target"); - if (!email) { - return; - } - - var data = email.split("@"); - if (data.length !== 2) { - return; - } - - evt.AppendTo("related.user", data[0]); - }; - - var pipeline = new processor.Chain() - .Add(categorizeEvent) - .Add(flattenParams) - .Convert({ - fields: [ - { - from: "gsuite.drive.doc_id", - to: "gsuite.drive.file.id", - }, - { - from: "gsuite.drive.doc_title", - to: "file.name", - }, - { - from: "gsuite.drive.doc_type", - to: "gsuite.drive.file.type", - }, - { - from: "gsuite.drive.owner", - to: "gsuite.drive.file.owner.email", - }, - { - from: "gsuite.drive.owner_is_shared_drive", - to: "gsuite.drive.file.owner.is_shared_drive", - }, - { - from: "gsuite.drive.new_settings_state", - to: "gsuite.drive.new_value", - }, - { - from: "gsuite.drive.old_settings_state", - to: "gsuite.drive.old_value", - }, - { - from: "gsuite.drive.target_user", - to: "gsuite.drive.target", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setFileInfo) - .Add(setOwnerInfo) - .Add(setTargetRelatedUser) - .Build(); - - return { - process: pipeline.Run, - }; -}()); - -function process(evt) { - return drive.process(evt); -} diff --git a/x-pack/filebeat/module/gsuite/drive/manifest.yml b/x-pack/filebeat/module/gsuite/drive/manifest.yml deleted file mode 100644 index c5992776ac07..000000000000 --- a/x-pack/filebeat/module/gsuite/drive/manifest.yml +++ /dev/null @@ -1,25 +0,0 @@ -module_version: 1.0 - -var: - - name: input - default: httpjson - - name: jwt_file - - name: delegated_account - - name: initial_interval - default: 24h - - name: http_client_timeout - default: 60s - - name: user_key - default: all - - name: interval - default: 2h - - name: tags - default: [forwarded] - - name: proxy_url - -input: config/config.yml -ingest_pipeline: ../ingest/common.yml - -requires.processors: -- name: geoip - plugin: ingest-geoip diff --git a/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log b/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log deleted file mode 100644 index 3cd073a73790..000000000000 --- a/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log +++ /dev/null @@ -1,28 +0,0 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"add_to_folder","parameters":[{"name":"billable","boolValue":false},{"name":"destination_folder_id","value":"1234"},{"name":"destination_folder_title","value":"folder title"},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"approval_canceled","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"approval_comment_added","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"approval_requested","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"approval_reviewer_responded","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"create","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"delete","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"download","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"edit","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"add_lock","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"move","parameters":[{"name":"billable","boolValue":false},{"name":"destination_folder_id","value":"1234"},{"name":"destination_folder_title","value":"folder title"},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"source_folder_id","value":"1234"},{"name":"source_folder_title","value":"a folder title"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"preview","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"print","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"remove_from_folder","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"source_folder_id","value":"1234"},{"name":"source_folder_title","value":"a folder title"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"rename","parameters":[{"name":"billable","boolValue":true},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"bar.gif"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"old_value","value":"foo.gif","new_value":"bar.gif"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"untrash","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"sheets_import_range","parameters":[{"name":"sheets_import_range_recipient_doc","value":"1234"},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"trash","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"remove_lock","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"upload","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"view","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"shared_drive_id","value":"1234"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"change_acl_editors","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"new_value","value":"owner"},{"name":"old_value","value":"writers"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"old_visibility","value":"people_within_domain_with_link"},{"name":"visibility_change","value":"external"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"change_document_access_scope","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"new_value","value":"owner"},{"name":"old_value","value":"writers"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"old_visibility","value":"people_within_domain_with_link"},{"name":"visibility_change","value":"external"},{"name":"target_domain","value":"all"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"change_document_visibility","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"new_value","value":"owner"},{"name":"old_value","value":"writers"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"old_visibility","value":"people_within_domain_with_link"},{"name":"visibility_change","value":"external"},{"name":"target_domain","value":"all"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"shared_drive_membership_change","parameters":[{"name":"added_role","value":"editor"},{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"removed_role","value":"content_manager"},{"name":"membership_change_type","value":"add_to_shared_drive"},{"name":"target","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"shared_drive_settings_change","parameters":[{"name":"new_settings_state","value":"restricted"},{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"old_settings_state","value":"unrestricted"},{"name":"shared_drive_settings_change_type","value":"direct_acl"},{"name":"target","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"sheets_import_range_access_change","parameters":[{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"sheets_import_range_recipient_doc","value":"1234"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"change_user_access","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"new_value","value":"can_comment"},{"name":"old_value","value":"can_view"},{"name":"old_visibility","value":"people_with_link"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"target_user","value":"user@example.com"},{"name":"visibility","value":"private"},{"name":"visibility_change","value":"external"}]}} diff --git a/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log-expected.json deleted file mode 100644 index 4068a18c4947..000000000000 --- a/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log-expected.json +++ /dev/null @@ -1,1801 +0,0 @@ -[ - { - "event.action": "add_to_folder", - "event.category": [ - "file" - ], - "event.dataset": "gsuite.drive", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"add_to_folder\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"destination_folder_id\",\"value\":\"1234\"},{\"name\":\"destination_folder_title\",\"value\":\"folder title\"},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", - "event.provider": "drive", - "event.type": [ - "change" - ], - "file.name": "document title", - "file.owner": "owner", - "file.type": "file", - "fileset.name": "drive", - "gsuite.actor.type": "USER", - "gsuite.drive.billable": false, - "gsuite.drive.destination_folder_id": "1234", - "gsuite.drive.destination_folder_title": "folder title", - "gsuite.drive.file.id": "1234", - "gsuite.drive.file.owner.email": "owner@example.com", - "gsuite.drive.file.owner.is_shared_drive": false, - "gsuite.drive.file.type": "document", - "gsuite.drive.originating_app_id": "1234", - "gsuite.drive.primary_event": true, - "gsuite.drive.visibility": "people_with_link", - "gsuite.event.type": "access", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 0, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "owner" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "approval_canceled", - "event.category": [ - "configuration", - "file", - "iam" - ], - "event.dataset": "gsuite.drive", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"approval_canceled\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", - "event.provider": "drive", - "event.type": [ - "change" - ], - "file.name": "document title", - "file.owner": "owner", - "file.type": "file", - "fileset.name": "drive", - "gsuite.actor.type": "USER", - "gsuite.drive.billable": false, - "gsuite.drive.file.id": "1234", - "gsuite.drive.file.owner.email": "owner@example.com", - "gsuite.drive.file.owner.is_shared_drive": false, - "gsuite.drive.file.type": "document", - "gsuite.drive.originating_app_id": "1234", - "gsuite.drive.primary_event": true, - "gsuite.drive.visibility": "people_with_link", - "gsuite.event.type": "access", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 816, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "owner" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "approval_comment_added", - "event.category": [ - "configuration", - "file", - "iam" - ], - "event.dataset": "gsuite.drive", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"approval_comment_added\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", - "event.provider": "drive", - "event.type": [ - "change" - ], - "file.name": "document title", - "file.owner": "owner", - "file.type": "file", - "fileset.name": "drive", - "gsuite.actor.type": "USER", - "gsuite.drive.billable": false, - "gsuite.drive.file.id": "1234", - "gsuite.drive.file.owner.email": "owner@example.com", - "gsuite.drive.file.owner.is_shared_drive": false, - "gsuite.drive.file.type": "document", - "gsuite.drive.originating_app_id": "1234", - "gsuite.drive.primary_event": true, - "gsuite.drive.visibility": "people_with_link", - "gsuite.event.type": "access", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1529, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "owner" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "approval_requested", - "event.category": [ - "configuration", - "file", - "iam" - ], - "event.dataset": "gsuite.drive", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"approval_requested\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", - "event.provider": "drive", - "event.type": [ - "change" - ], - "file.name": "document title", - "file.owner": "owner", - "file.type": "file", - "fileset.name": "drive", - "gsuite.actor.type": "USER", - "gsuite.drive.billable": false, - "gsuite.drive.file.id": "1234", - "gsuite.drive.file.owner.email": "owner@example.com", - "gsuite.drive.file.owner.is_shared_drive": false, - "gsuite.drive.file.type": "document", - "gsuite.drive.originating_app_id": "1234", - "gsuite.drive.primary_event": true, - "gsuite.drive.visibility": "people_with_link", - "gsuite.event.type": "access", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2247, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "owner" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "approval_reviewer_responded", - "event.category": [ - "configuration", - "file", - "iam" - ], - "event.dataset": "gsuite.drive", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"approval_reviewer_responded\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", - "event.provider": "drive", - "event.type": [ - "change" - ], - "file.name": "document title", - "file.owner": "owner", - "file.type": "file", - "fileset.name": "drive", - "gsuite.actor.type": "USER", - "gsuite.drive.billable": false, - "gsuite.drive.file.id": "1234", - "gsuite.drive.file.owner.email": "owner@example.com", - "gsuite.drive.file.owner.is_shared_drive": false, - "gsuite.drive.file.type": "document", - "gsuite.drive.originating_app_id": "1234", - "gsuite.drive.primary_event": true, - "gsuite.drive.visibility": "people_with_link", - "gsuite.event.type": "access", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2961, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "owner" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "create", - "event.category": [ - "file" - ], - "event.dataset": "gsuite.drive", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"create\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", - "event.provider": "drive", - "event.type": [ - "creation" - ], - "file.name": "document title", - "file.owner": "owner", - "file.type": "file", - "fileset.name": "drive", - "gsuite.actor.type": "USER", - "gsuite.drive.billable": false, - "gsuite.drive.file.id": "1234", - "gsuite.drive.file.owner.email": "owner@example.com", - "gsuite.drive.file.owner.is_shared_drive": false, - "gsuite.drive.file.type": "document", - "gsuite.drive.originating_app_id": "1234", - "gsuite.drive.primary_event": true, - "gsuite.drive.visibility": "people_with_link", - "gsuite.event.type": "access", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 3684, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "owner" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "delete", - "event.category": [ - "file" - ], - "event.dataset": "gsuite.drive", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"delete\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", - "event.provider": "drive", - "event.type": [ - "deletion" - ], - "file.name": "document title", - "file.owner": "owner", - "file.type": "file", - "fileset.name": "drive", - "gsuite.actor.type": "USER", - "gsuite.drive.billable": false, - "gsuite.drive.file.id": "1234", - "gsuite.drive.file.owner.email": "owner@example.com", - "gsuite.drive.file.owner.is_shared_drive": false, - "gsuite.drive.file.type": "document", - "gsuite.drive.originating_app_id": "1234", - "gsuite.drive.primary_event": true, - "gsuite.drive.visibility": "people_with_link", - "gsuite.event.type": "access", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 4386, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "owner" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "download", - "event.category": [ - "file" - ], - "event.dataset": "gsuite.drive", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"download\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", - "event.provider": "drive", - "event.type": [ - "info" - ], - "file.name": "document title", - "file.owner": "owner", - "file.type": "file", - "fileset.name": "drive", - "gsuite.actor.type": "USER", - "gsuite.drive.billable": false, - "gsuite.drive.file.id": "1234", - "gsuite.drive.file.owner.email": "owner@example.com", - "gsuite.drive.file.owner.is_shared_drive": false, - "gsuite.drive.file.type": "document", - "gsuite.drive.originating_app_id": "1234", - "gsuite.drive.primary_event": true, - "gsuite.drive.visibility": "people_with_link", - "gsuite.event.type": "access", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 5088, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "owner" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "edit", - "event.category": [ - "file" - ], - "event.dataset": "gsuite.drive", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"edit\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", - "event.provider": "drive", - "event.type": [ - "change" - ], - "file.name": "document title", - "file.owner": "owner", - "file.type": "file", - "fileset.name": "drive", - "gsuite.actor.type": "USER", - "gsuite.drive.billable": false, - "gsuite.drive.file.id": "1234", - "gsuite.drive.file.owner.email": "owner@example.com", - "gsuite.drive.file.owner.is_shared_drive": false, - "gsuite.drive.file.type": "document", - "gsuite.drive.originating_app_id": "1234", - "gsuite.drive.primary_event": true, - "gsuite.drive.visibility": "people_with_link", - "gsuite.event.type": "access", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 5792, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "owner" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "add_lock", - "event.category": [ - "file" - ], - "event.dataset": "gsuite.drive", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"add_lock\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", - "event.provider": "drive", - "event.type": [ - "change" - ], - "file.name": "document title", - "file.owner": "owner", - "file.type": "file", - "fileset.name": "drive", - "gsuite.actor.type": "USER", - "gsuite.drive.billable": false, - "gsuite.drive.file.id": "1234", - "gsuite.drive.file.owner.email": "owner@example.com", - "gsuite.drive.file.owner.is_shared_drive": false, - "gsuite.drive.file.type": "document", - "gsuite.drive.originating_app_id": "1234", - "gsuite.drive.primary_event": true, - "gsuite.drive.visibility": "people_with_link", - "gsuite.event.type": "access", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 6492, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "owner" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "move", - "event.category": [ - "file" - ], - "event.dataset": "gsuite.drive", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"move\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"destination_folder_id\",\"value\":\"1234\"},{\"name\":\"destination_folder_title\",\"value\":\"folder title\"},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"source_folder_id\",\"value\":\"1234\"},{\"name\":\"source_folder_title\",\"value\":\"a folder title\"}]}}", - "event.provider": "drive", - "event.type": [ - "change" - ], - "file.name": "document title", - "file.owner": "owner", - "file.type": "file", - "fileset.name": "drive", - "gsuite.actor.type": "USER", - "gsuite.drive.billable": false, - "gsuite.drive.destination_folder_id": "1234", - "gsuite.drive.destination_folder_title": "folder title", - "gsuite.drive.file.id": "1234", - "gsuite.drive.file.owner.email": "owner@example.com", - "gsuite.drive.file.owner.is_shared_drive": false, - "gsuite.drive.file.type": "document", - "gsuite.drive.originating_app_id": "1234", - "gsuite.drive.primary_event": true, - "gsuite.drive.source_folder_id": "1234", - "gsuite.drive.source_folder_title": "a folder title", - "gsuite.drive.visibility": "people_with_link", - "gsuite.event.type": "access", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 7196, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "owner" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "preview", - "event.category": [ - "file" - ], - "event.dataset": "gsuite.drive", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"preview\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", - "event.provider": "drive", - "event.type": [ - "info" - ], - "file.name": "document title", - "file.owner": "owner", - "file.type": "file", - "fileset.name": "drive", - "gsuite.actor.type": "USER", - "gsuite.drive.billable": false, - "gsuite.drive.file.id": "1234", - "gsuite.drive.file.owner.email": "owner@example.com", - "gsuite.drive.file.owner.is_shared_drive": false, - "gsuite.drive.file.type": "document", - "gsuite.drive.originating_app_id": "1234", - "gsuite.drive.primary_event": true, - "gsuite.drive.visibility": "people_with_link", - "gsuite.event.type": "access", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 8102, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "owner" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "print", - "event.category": [ - "file" - ], - "event.dataset": "gsuite.drive", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"print\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", - "event.provider": "drive", - "event.type": [ - "info" - ], - "file.name": "document title", - "file.owner": "owner", - "file.type": "file", - "fileset.name": "drive", - "gsuite.actor.type": "USER", - "gsuite.drive.billable": false, - "gsuite.drive.file.id": "1234", - "gsuite.drive.file.owner.email": "owner@example.com", - "gsuite.drive.file.owner.is_shared_drive": false, - "gsuite.drive.file.type": "document", - "gsuite.drive.originating_app_id": "1234", - "gsuite.drive.primary_event": true, - "gsuite.drive.visibility": "people_with_link", - "gsuite.event.type": "access", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 8805, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "owner" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "remove_from_folder", - "event.category": [ - "file" - ], - "event.dataset": "gsuite.drive", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"remove_from_folder\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"source_folder_id\",\"value\":\"1234\"},{\"name\":\"source_folder_title\",\"value\":\"a folder title\"}]}}", - "event.provider": "drive", - "event.type": [ - "change" - ], - "file.name": "document title", - "file.owner": "owner", - "file.type": "file", - "fileset.name": "drive", - "gsuite.actor.type": "USER", - "gsuite.drive.billable": false, - "gsuite.drive.file.id": "1234", - "gsuite.drive.file.owner.email": "owner@example.com", - "gsuite.drive.file.owner.is_shared_drive": false, - "gsuite.drive.file.type": "document", - "gsuite.drive.originating_app_id": "1234", - "gsuite.drive.primary_event": true, - "gsuite.drive.source_folder_id": "1234", - "gsuite.drive.source_folder_title": "a folder title", - "gsuite.drive.visibility": "people_with_link", - "gsuite.event.type": "access", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 9506, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "owner" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "rename", - "event.category": [ - "file" - ], - "event.dataset": "gsuite.drive", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"rename\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":true},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"bar.gif\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"old_value\",\"value\":\"foo.gif\",\"new_value\":\"bar.gif\"}]}}", - "event.provider": "drive", - "event.type": [ - "change" - ], - "file.extension": "gif", - "file.name": "bar.gif", - "file.owner": "owner", - "file.type": "file", - "fileset.name": "drive", - "gsuite.actor.type": "USER", - "gsuite.drive.billable": true, - "gsuite.drive.file.id": "1234", - "gsuite.drive.file.owner.email": "owner@example.com", - "gsuite.drive.file.owner.is_shared_drive": false, - "gsuite.drive.file.type": "document", - "gsuite.drive.old_value": "foo.gif", - "gsuite.drive.originating_app_id": "1234", - "gsuite.drive.primary_event": true, - "gsuite.drive.visibility": "people_with_link", - "gsuite.event.type": "access", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 10319, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "owner" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "untrash", - "event.category": [ - "file" - ], - "event.dataset": "gsuite.drive", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"untrash\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", - "event.provider": "drive", - "event.type": [ - "creation" - ], - "file.name": "document title", - "file.owner": "owner", - "file.type": "file", - "fileset.name": "drive", - "gsuite.actor.type": "USER", - "gsuite.drive.billable": false, - "gsuite.drive.file.id": "1234", - "gsuite.drive.file.owner.email": "owner@example.com", - "gsuite.drive.file.owner.is_shared_drive": false, - "gsuite.drive.file.type": "document", - "gsuite.drive.originating_app_id": "1234", - "gsuite.drive.primary_event": true, - "gsuite.drive.visibility": "people_with_link", - "gsuite.event.type": "access", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 11074, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "owner" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "sheets_import_range", - "event.category": [ - "file" - ], - "event.dataset": "gsuite.drive", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"sheets_import_range\",\"parameters\":[{\"name\":\"sheets_import_range_recipient_doc\",\"value\":\"1234\"},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", - "event.provider": "drive", - "event.type": [ - "change" - ], - "file.name": "document title", - "file.owner": "owner", - "file.type": "file", - "fileset.name": "drive", - "gsuite.actor.type": "USER", - "gsuite.drive.file.id": "1234", - "gsuite.drive.file.owner.email": "owner@example.com", - "gsuite.drive.file.owner.is_shared_drive": false, - "gsuite.drive.file.type": "document", - "gsuite.drive.originating_app_id": "1234", - "gsuite.drive.primary_event": true, - "gsuite.drive.sheets_import_range_recipient_doc": "1234", - "gsuite.drive.visibility": "people_with_link", - "gsuite.event.type": "access", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 11777, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "owner" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "trash", - "event.category": [ - "file" - ], - "event.dataset": "gsuite.drive", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"trash\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", - "event.provider": "drive", - "event.type": [ - "deletion" - ], - "file.name": "document title", - "file.owner": "owner", - "file.type": "file", - "fileset.name": "drive", - "gsuite.actor.type": "USER", - "gsuite.drive.billable": false, - "gsuite.drive.file.id": "1234", - "gsuite.drive.file.owner.email": "owner@example.com", - "gsuite.drive.file.owner.is_shared_drive": false, - "gsuite.drive.file.type": "document", - "gsuite.drive.originating_app_id": "1234", - "gsuite.drive.primary_event": true, - "gsuite.drive.visibility": "people_with_link", - "gsuite.event.type": "access", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 12514, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "owner" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "remove_lock", - "event.category": [ - "file" - ], - "event.dataset": "gsuite.drive", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"remove_lock\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", - "event.provider": "drive", - "event.type": [ - "change" - ], - "file.name": "document title", - "file.owner": "owner", - "file.type": "file", - "fileset.name": "drive", - "gsuite.actor.type": "USER", - "gsuite.drive.billable": false, - "gsuite.drive.file.id": "1234", - "gsuite.drive.file.owner.email": "owner@example.com", - "gsuite.drive.file.owner.is_shared_drive": false, - "gsuite.drive.file.type": "document", - "gsuite.drive.originating_app_id": "1234", - "gsuite.drive.primary_event": true, - "gsuite.drive.visibility": "people_with_link", - "gsuite.event.type": "access", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 13215, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "owner" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "upload", - "event.category": [ - "file" - ], - "event.dataset": "gsuite.drive", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"upload\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", - "event.provider": "drive", - "event.type": [ - "creation" - ], - "file.name": "document title", - "file.owner": "owner", - "file.type": "file", - "fileset.name": "drive", - "gsuite.actor.type": "USER", - "gsuite.drive.billable": false, - "gsuite.drive.file.id": "1234", - "gsuite.drive.file.owner.email": "owner@example.com", - "gsuite.drive.file.owner.is_shared_drive": false, - "gsuite.drive.file.type": "document", - "gsuite.drive.originating_app_id": "1234", - "gsuite.drive.primary_event": true, - "gsuite.drive.visibility": "people_with_link", - "gsuite.event.type": "access", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 13922, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "owner" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "view", - "event.category": [ - "file" - ], - "event.dataset": "gsuite.drive", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"view\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"shared_drive_id\",\"value\":\"1234\"}]}}", - "event.provider": "drive", - "event.type": [ - "info" - ], - "file.name": "document title", - "file.owner": "owner", - "file.type": "file", - "fileset.name": "drive", - "gsuite.actor.type": "USER", - "gsuite.drive.billable": false, - "gsuite.drive.file.id": "1234", - "gsuite.drive.file.owner.email": "owner@example.com", - "gsuite.drive.file.owner.is_shared_drive": false, - "gsuite.drive.file.type": "document", - "gsuite.drive.originating_app_id": "1234", - "gsuite.drive.primary_event": true, - "gsuite.drive.shared_drive_id": "1234", - "gsuite.drive.visibility": "people_with_link", - "gsuite.event.type": "access", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 14624, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "owner" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "change_acl_editors", - "event.category": [ - "configuration", - "file", - "iam" - ], - "event.dataset": "gsuite.drive", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"change_acl_editors\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"new_value\",\"value\":\"owner\"},{\"name\":\"old_value\",\"value\":\"writers\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"old_visibility\",\"value\":\"people_within_domain_with_link\"},{\"name\":\"visibility_change\",\"value\":\"external\"}]}}", - "event.provider": "drive", - "event.type": [ - "change" - ], - "file.name": "document title", - "file.owner": "owner", - "file.type": "file", - "fileset.name": "drive", - "gsuite.actor.type": "USER", - "gsuite.drive.billable": false, - "gsuite.drive.file.id": "1234", - "gsuite.drive.file.owner.email": "owner@example.com", - "gsuite.drive.file.owner.is_shared_drive": false, - "gsuite.drive.file.type": "document", - "gsuite.drive.new_value": "owner", - "gsuite.drive.old_value": "writers", - "gsuite.drive.old_visibility": "people_within_domain_with_link", - "gsuite.drive.originating_app_id": "1234", - "gsuite.drive.primary_event": true, - "gsuite.drive.visibility": "people_with_link", - "gsuite.drive.visibility_change": "external", - "gsuite.event.type": "acl_change", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 15366, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "owner" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "change_document_access_scope", - "event.category": [ - "configuration", - "file", - "iam" - ], - "event.dataset": "gsuite.drive", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"change_document_access_scope\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"new_value\",\"value\":\"owner\"},{\"name\":\"old_value\",\"value\":\"writers\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"old_visibility\",\"value\":\"people_within_domain_with_link\"},{\"name\":\"visibility_change\",\"value\":\"external\"},{\"name\":\"target_domain\",\"value\":\"all\"}]}}", - "event.provider": "drive", - "event.type": [ - "change" - ], - "file.name": "document title", - "file.owner": "owner", - "file.type": "file", - "fileset.name": "drive", - "gsuite.actor.type": "USER", - "gsuite.drive.billable": false, - "gsuite.drive.file.id": "1234", - "gsuite.drive.file.owner.email": "owner@example.com", - "gsuite.drive.file.owner.is_shared_drive": false, - "gsuite.drive.file.type": "document", - "gsuite.drive.new_value": "owner", - "gsuite.drive.old_value": "writers", - "gsuite.drive.old_visibility": "people_within_domain_with_link", - "gsuite.drive.originating_app_id": "1234", - "gsuite.drive.primary_event": true, - "gsuite.drive.target_domain": "all", - "gsuite.drive.visibility": "people_with_link", - "gsuite.drive.visibility_change": "external", - "gsuite.event.type": "acl_change", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 16275, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "owner" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "change_document_visibility", - "event.category": [ - "configuration", - "file", - "iam" - ], - "event.dataset": "gsuite.drive", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"change_document_visibility\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"new_value\",\"value\":\"owner\"},{\"name\":\"old_value\",\"value\":\"writers\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"old_visibility\",\"value\":\"people_within_domain_with_link\"},{\"name\":\"visibility_change\",\"value\":\"external\"},{\"name\":\"target_domain\",\"value\":\"all\"}]}}", - "event.provider": "drive", - "event.type": [ - "change" - ], - "file.name": "document title", - "file.owner": "owner", - "file.type": "file", - "fileset.name": "drive", - "gsuite.actor.type": "USER", - "gsuite.drive.billable": false, - "gsuite.drive.file.id": "1234", - "gsuite.drive.file.owner.email": "owner@example.com", - "gsuite.drive.file.owner.is_shared_drive": false, - "gsuite.drive.file.type": "document", - "gsuite.drive.new_value": "owner", - "gsuite.drive.old_value": "writers", - "gsuite.drive.old_visibility": "people_within_domain_with_link", - "gsuite.drive.originating_app_id": "1234", - "gsuite.drive.primary_event": true, - "gsuite.drive.target_domain": "all", - "gsuite.drive.visibility": "people_with_link", - "gsuite.drive.visibility_change": "external", - "gsuite.event.type": "acl_change", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 17233, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "owner" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "shared_drive_membership_change", - "event.category": [ - "configuration", - "file", - "iam" - ], - "event.dataset": "gsuite.drive", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"shared_drive_membership_change\",\"parameters\":[{\"name\":\"added_role\",\"value\":\"editor\"},{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"removed_role\",\"value\":\"content_manager\"},{\"name\":\"membership_change_type\",\"value\":\"add_to_shared_drive\"},{\"name\":\"target\",\"value\":\"user@example.com\"}]}}", - "event.provider": "drive", - "event.type": [ - "change" - ], - "file.name": "document title", - "file.owner": "owner", - "file.type": "file", - "fileset.name": "drive", - "gsuite.actor.type": "USER", - "gsuite.drive.added_role": "editor", - "gsuite.drive.billable": false, - "gsuite.drive.file.id": "1234", - "gsuite.drive.file.owner.email": "owner@example.com", - "gsuite.drive.file.owner.is_shared_drive": false, - "gsuite.drive.file.type": "document", - "gsuite.drive.membership_change_type": "add_to_shared_drive", - "gsuite.drive.originating_app_id": "1234", - "gsuite.drive.primary_event": true, - "gsuite.drive.removed_role": "content_manager", - "gsuite.drive.target": "user@example.com", - "gsuite.drive.visibility": "people_with_link", - "gsuite.event.type": "acl_change", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 18189, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "owner", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "shared_drive_settings_change", - "event.category": [ - "configuration", - "file", - "iam" - ], - "event.dataset": "gsuite.drive", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"shared_drive_settings_change\",\"parameters\":[{\"name\":\"new_settings_state\",\"value\":\"restricted\"},{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"old_settings_state\",\"value\":\"unrestricted\"},{\"name\":\"shared_drive_settings_change_type\",\"value\":\"direct_acl\"},{\"name\":\"target\",\"value\":\"user@example.com\"}]}}", - "event.provider": "drive", - "event.type": [ - "change" - ], - "file.name": "document title", - "file.owner": "owner", - "file.type": "file", - "fileset.name": "drive", - "gsuite.actor.type": "USER", - "gsuite.drive.billable": false, - "gsuite.drive.file.id": "1234", - "gsuite.drive.file.owner.email": "owner@example.com", - "gsuite.drive.file.owner.is_shared_drive": false, - "gsuite.drive.file.type": "document", - "gsuite.drive.new_value": "restricted", - "gsuite.drive.old_value": "unrestricted", - "gsuite.drive.originating_app_id": "1234", - "gsuite.drive.primary_event": true, - "gsuite.drive.shared_drive_settings_change_type": "direct_acl", - "gsuite.drive.target": "user@example.com", - "gsuite.drive.visibility": "people_with_link", - "gsuite.event.type": "acl_change", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 19117, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "owner", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "sheets_import_range_access_change", - "event.category": [ - "configuration", - "file", - "iam" - ], - "event.dataset": "gsuite.drive", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"sheets_import_range_access_change\",\"parameters\":[{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"sheets_import_range_recipient_doc\",\"value\":\"1234\"}]}}", - "event.provider": "drive", - "event.type": [ - "change" - ], - "file.name": "document title", - "file.owner": "owner", - "file.type": "file", - "fileset.name": "drive", - "gsuite.actor.type": "USER", - "gsuite.drive.file.id": "1234", - "gsuite.drive.file.owner.email": "owner@example.com", - "gsuite.drive.file.owner.is_shared_drive": false, - "gsuite.drive.file.type": "document", - "gsuite.drive.originating_app_id": "1234", - "gsuite.drive.primary_event": true, - "gsuite.drive.sheets_import_range_recipient_doc": "1234", - "gsuite.drive.visibility": "people_with_link", - "gsuite.event.type": "acl_change", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 20060, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "owner" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "change_user_access", - "event.category": [ - "configuration", - "file", - "iam" - ], - "event.dataset": "gsuite.drive", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"change_user_access\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"new_value\",\"value\":\"can_comment\"},{\"name\":\"old_value\",\"value\":\"can_view\"},{\"name\":\"old_visibility\",\"value\":\"people_with_link\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"target_user\",\"value\":\"user@example.com\"},{\"name\":\"visibility\",\"value\":\"private\"},{\"name\":\"visibility_change\",\"value\":\"external\"}]}}", - "event.provider": "drive", - "event.type": [ - "change" - ], - "file.name": "document title", - "file.owner": "owner", - "file.type": "file", - "fileset.name": "drive", - "gsuite.actor.type": "USER", - "gsuite.drive.billable": false, - "gsuite.drive.file.id": "1234", - "gsuite.drive.file.owner.email": "owner@example.com", - "gsuite.drive.file.owner.is_shared_drive": false, - "gsuite.drive.file.type": "document", - "gsuite.drive.new_value": "can_comment", - "gsuite.drive.old_value": "can_view", - "gsuite.drive.old_visibility": "people_with_link", - "gsuite.drive.originating_app_id": "1234", - "gsuite.drive.primary_event": true, - "gsuite.drive.target": "user@example.com", - "gsuite.drive.visibility": "private", - "gsuite.drive.visibility_change": "external", - "gsuite.event.type": "acl_change", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 20815, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "owner", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/fields.go b/x-pack/filebeat/module/gsuite/fields.go deleted file mode 100644 index 8ade2ec3e323..000000000000 --- a/x-pack/filebeat/module/gsuite/fields.go +++ /dev/null @@ -1,23 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. - -package gsuite - -import ( - "github.com/elastic/beats/v7/libbeat/asset" -) - -func init() { - if err := asset.SetFields("filebeat", "gsuite", asset.ModuleFieldsPri, AssetGsuite); err != nil { - panic(err) - } -} - -// AssetGsuite returns asset data. -// This is the base64 encoded zlib format compressed contents of module/gsuite. -func AssetGsuite() string { - return "eJzkXFtz3Dayfvev6EoefE4qGtXJox5OldaaOK5IlkqSs5va2qIwRJNEBAI0AM549tdv4cIRZ4bkXEDZk6xe7BoS39do3Lob3TyDZ1xeQK5rZvANgGGG4wV853/47g0ARZ0qVhkmxQX8/xsACG/DjaQ1t40yhpzqC/fsDAQpsYVo/yhmpOYmcS9eQEa4bh6ZZWXfVrKuVi9vEdq/955UV5iyjKWBdPJm9cKNVAhMZFKVxDYGMpO12WwAKREwQ8hkLSgQA4Uxlb44P6c4Ry4rVHqSS5lznKSyPCe0ZOJM0+dzhZVURp/P/+9cYYYKRYrnJDVszgxDfc6ZNkGWtj7aOiGpkWpie7x61CjgGZcLqWjr9x412L/HAl0zkFnAfLP2/DfCa2x6erH2COCHTw/T+x8u4FJIU6CCWqMCJsAUCJqUCFSWhInJZrPpPx6n9x8vr5OmvW8pa6MZRde8p+Wv09/d+0KKs6IuiWiE7tbPMy7j1HMr+BIqhRqFgUWBAp5eNP8ETMPTr9Pfnybwzk8FK/pTKoWuS1TJMy6frGLtrwo/16iNVJBJBbeXtSngp+tbuLz70DzTIBUQAYyiMCxj6N9VciYNkDSVtTB6u6s4R2FGngrvH9wKcdA/QkmqCilkSpbwxAyW+p//mrhn9j9BFX7YpWI5E4RDRZZcEro+glOSFpAxjhqNm1MFmSMQoCxzy8CAfSAzmPtpZ7vPrAB2PVI0hPGvsursH34hZWU3MFJTZr4PLy631P/MBB1P8X46aFmrFDcUb4n21PPNCetLqpwI9m+3r078Mo9Tn1egRwJTEGOXJckyTA1SmC3D8rOdeavDatneL2y3t+RonyXQsRuvIVQVZ6nvFlJm/90Qs69vW/2z/WlWoEea7KS0v8TwtbDeaoe/mxMFmXHchD6INkCswe7k5Sy1k1EnUlFUiajLGapjpbi1GOAx7DlEwUhQSBFLcEQa9QEiVbVKC6KP18pHL4nMoMGEFeZuOVjUaLSQ4MPVbjaiq2Q8xpV5VRGtbeO9ZKhI+kxyjJSjlDPG18UJwL1CuM1hgiVhPIbZwbzVUClWErUEBwiEUoW6Z+IJXCTuhIzhFbjwx6w7ZZ3JhsYwkXdzSk7jOSWnB3GqPKkFM9GbW/vMIRws5sAWt6LNah41tFLlnssCQUVMAUykvKZM5P5UktK8vNUvUaOlWD0EnAEma4gnFDMmkCZj0dr2jR1sCc4CwfDoNw9bcK/bd7+gK8WkchbOsWzvLQ684HSzBQ+HcEaOZmoZPg5nkCl2FJsNKhD26zHwaUyloEQtk/hpG5B2c5dEkBxpkkqRsbxWJHbatOduAIc18J4tWookQ2Jq5daRmjNrHGjkmMZItGn5AnyU4qwhgoYIVkSbHjTAz9bJBGu8225VUms249h4XM7StxbQEV6CdVYEZV8aJ2EZXmsdqmdhFervf76+fPjl+sP7Xx6T6dWn5OPtx+Tn6eXjp/vpVfIwvf/tw7vpQ/IwvZ6+e5xedarYGeNjDa0D6x7Kxh2LtK3abA1ky9Xv347jTQyLcpiF4XgFS59jl26gbqAG2GZMmYIS003X8aCPywG5Bj3bPDG4IMuo/fC9x/AbEdyFAJG1YWWJkFontJnp3UKkhZIlJlJPNGrNpEg2AjgHifPOocHtAwQ017Rnd0a7RUw0KkZ4pO905bDAYwUfapD1gCW00TJGPUHMfp1Uignjtmk77Ue0dhwwBOB+6tdg3TESqSxLImgSokRHzzwP0wSbenZQyWN2z0+Cfa5xMyxqCqYdsu3unHHMewbXsceod/vQfXS2O8cOQwS+yRFLkaPd1+hZaBY2n74pF/QVo5W7BmXQb3H2yAh+i8MZ8lsUj2ZZ4EwzM8RSKUnrNN4fDTh7MOnnegyih18/dfPMav6c1JULIWeE9UXzuBT5fkErDwIKU6moBiYcBXgKsLN8wGpuS2OkId1Wz/7COIwjZfHeIOFcLpAmG8HugwbiIylRuws2C3ZmoZB6/J4N01lok881UUQYJjDag2qfDi+wQ+Rc5olGotIiyRi3p0mJWscH2rjMweOCx32rg0Ea8HvjbX1yaUOUSaIsxy6hHOyAGdknDtpDdWxh7KYv8iOkUZiyiqEwk+jgXf/IvZAcNnAoKKrXFCwwHKkxVnVKtfXzMZp6q+HD3bAPtkNtryCdR95DtOC9rK5HIi+Ctg2s6+bqIyCfgo0lVT5sV21qJZwd/+VakaQ2xU+TMUzBbY24PIqfBuzDb6MUjWmtmFnupZlxru+CJva5wevgjRmVDuaBu5Vt7hjPvndGtKXZ9vtPeVbMUbEsiJ6UaAo54g5yj9x6iWsk4ElOUkNAxGYPYVS/2d0nDA8I4ajiXT6HMrAwVB0ZpXAxibozJvFybc4mKXe2TSzT5d0H8FA7+HQqq+Ov0hoqj9Jz5UPLiZHPGHXNc3N1A3MUVCpAoSTnpe2ag+1n9Q3GoR1MumEik1EB4q4QFtOwYJzDDFdpL9oQg7AoiHFpbXbZt7NgF0RDWhCRn4bpsc/idYZtUkrBjFQTitok0dcpFoWJkBjszeTGtw6ebKDbQyJu1TBJC3J0dMFK5C4c1rjBA+8tAVUkixLBAcTJwEQqS7YV2zlIjAYjThJZm1xGStJgHCoJrctq4tNEMKHI0fS4EDMpOZLNXW9Njg+C2kMeNbAMApan0UBcirujoU1WKX6xi26ndE3KVSqFQRE3cz2EfrliZ3wmvzTJVztF+VyjWsaFlp0n7HD8PtikJjn87rPa52tHXggHlF4z3aekTUg6QmJfSG/zdz/gIa2fvxf12AdPrzinYqh78YYPlqCiFJXxlnS89Ra00oKEVJbloD/ViCHLiohlIhcCaeL12m107Qqeu2jxKoAekIBAYAC5EH1pRkwbxWZ1SA02zMTdsXdPnTYLeBY/FX6ERcHSokl3Jz7AHiLfrq5CqvysJ9HudOdZl1bHX5BdWrWQPUpd1+cpq3KlRsXm2/Uxh+T3zxjnZMa7Fb/HWfz3Al2RlLu3bqQHplfAPVeoLlEoySSnqA65e+kGcEV5B2O0LN4ISTpQjhMnY4flE6y1G3fxXMm0dq7ilZ1g/gT7qtN/c2K305hdiZBdDwmpYhL1u/eM905WeMdlTeFOyT8wtcZMY8mtReCsf1Khsq6k9TSL5tDvnvNunOxRdmjuWwcA04kuiLKn4pamDli92yr4m28EGSc5UBTSZRcvwip35K4QCTy934F6c4BKopaJq00aT8K1HceJssoAdEVQcAmaCTuGrvzSj4h1BfxcLskSchSorCGicY6KcN+yxwBo63n02VZvJQGFefaIpPQST0K5pqxqH+XMQrWlFxoUcrca7NojrXbgqgyxdM4IcYnpTLhK1PZb3X2eM81mjLcL3aK7+9sK0/WRqByNn9InsrNE1590zlVh10pI0pcKKmUFDzpwGbocQ/RJ/+h+Wa9gYcaHs2xHiIICVd8VRGwlyzjSr9fC7C29LhCNTlhpRy5RFjBZ3SonVKbH9upKpq3dewXp8lYCK3hWcKwDyn2FNeE0/ALcViXTUEhO9bpWdy3XxCN8fQntrJVuM+Xt11vzpFt0vw8kWxWzkWK3SkjsPPTmvj+g0xS19qH3tdCvjx1bl4BwLZuyd1eAArZXRgILgacGqRPIEdoGnl97M8GVhLcUs8r1pMHU6rlroBRpouQB5uRO3VxaTCjResO6YJXP+XQLwp6Y594ZYmLgnICv7A31b9ov3QhTf+wLhVDB7sGtVlonbEuHG+o7VXWtGTONW/kNNNddRnA6elJYyvnoK+/eo/5V1p7fu4+ODXoL0H8jRcHGstkKdfjE0qhYB0l5UqEqmSsmGW9YQ2XkCnllMdUVtRb7tx2/LcVt3DiMrQef4DewWcdVfm3T3jjUPXjHXcyB1tVhnOoAh4k49hD/Web3K3h0Hxvv7H/0/zbWbd5WyskqI9ZB3OrXbeOU/OlUMfKccF8T+3NpIFQlRNy/bqvh4ebx7qXcwaXZELFeBbGtj6bI1PpDpaShdmUwINdgvbyekJHLz29CL1oSdUV2XQc2hpAohCdSVcpaek9ABIUnhX+4zzY99QQ/DDH10clkHQ5eQAzvzZrvcsjaVLUJ49JTJ9TbJV8BFTqk6zRFpGs92rLYuMxjPz4VPnflk5uSkJV0cNw8LQjnaD2csRNPr20XX/CbnNOvusqdmntuHAjjtRrbsfOdDtjf4G5ooMOv0dFUoYvOE65Pq7NMJ/4TIknmvt7Y2fGuK5Y2QK0rljLZs/1stl7tWKTkcSv75Rotqgqw4xQiJYeHuz0T9/+aK8QOT1/KLTPM2uzJbMQw9r3P+fK3Vw+XN9dAalPYRTP07Tup8lowk1TEFOPJAvDJRxTy7SSO9QM3SSUdc+LZfoeD1yL31Y67FevyJZNXlMPR+LTMdaH+EwAA///6ieSc" -} diff --git a/x-pack/filebeat/module/gsuite/groups/_meta/fields.yml b/x-pack/filebeat/module/gsuite/groups/_meta/fields.yml deleted file mode 100644 index 05cd6b685902..000000000000 --- a/x-pack/filebeat/module/gsuite/groups/_meta/fields.yml +++ /dev/null @@ -1,57 +0,0 @@ -- name: groups - type: group - fields: - - name: acl_permission - type: keyword - description: > - Group permission setting updated. - For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups - - name: email - type: keyword - description: > - Group email. - - name: member.email - type: keyword - description: > - Member email. - - name: member.role - type: keyword - description: > - Member role. - For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups - - name: setting - type: keyword - description: > - Group setting updated. - For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups - - name: new_value - type: keyword - description: > - New value(s) of the group setting. - For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups - - name: old_value - type: keyword - description: - Old value(s) of the group setting. - For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups - - name: value - type: keyword - description: > - Value of the group setting. - For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups - - name: message.id - type: keyword - description: > - SMTP message Id of an email message. - Present for moderation events. - - name: message.moderation_action - type: keyword - description: > - Message moderation action. - Possible values are `approved` and `rejected`. - - name: status - type: keyword - description: > - A status describing the output of an operation. - Possible values are `failed` and `succeeded`. - diff --git a/x-pack/filebeat/module/gsuite/groups/config/config.yml b/x-pack/filebeat/module/gsuite/groups/config/config.yml deleted file mode 100644 index 75b9d16063b3..000000000000 --- a/x-pack/filebeat/module/gsuite/groups/config/config.yml +++ /dev/null @@ -1,54 +0,0 @@ -{{ if eq .input "httpjson" }} -type: httpjson - -url: https://www.googleapis.com/admin/reports/v1/activity/users/{{ .user_key }}/applications/groups -json_objects_array: items -split_events_by: events - -interval: {{ .interval }} - -{{ if .http_client_timeout }} -http_client_timeout: {{ .http_client_timeout }} -{{ end }} - -oauth2.provider: google -oauth2.google.jwt_file: {{ .jwt_file }} -oauth2.google.delegated_account: {{ .delegated_account }} -oauth2.scopes: - - https://www.googleapis.com/auth/admin.reports.audit.readonly - -date_cursor.url_field: startTime -date_cursor.initial_interval: {{ .initial_interval }} - -pagination.id_field: nextPageToken -pagination.url_field: pageToken - -{{ if .proxy_url }} -request.proxy_url: {{ .proxy_url }} -{{ end }} - -{{ else if eq .input "file" }} -type: log -paths: -{{ range $i, $path := .paths }} - - {{$path}} -{{ end }} -exclude_files: [".gz$"] -{{ end }} - -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} - -processors: - - add_fields: - target: '' - fields: - ecs.version: 1.11.0 - - script: - lang: javascript - id: gsuite-common - file: ${path.home}/module/gsuite/config/common.js - - script: - lang: javascript - id: gsuite-groups - file: ${path.home}/module/gsuite/groups/config/pipeline.js diff --git a/x-pack/filebeat/module/gsuite/groups/config/pipeline.js b/x-pack/filebeat/module/gsuite/groups/config/pipeline.js deleted file mode 100644 index a0144435049f..000000000000 --- a/x-pack/filebeat/module/gsuite/groups/config/pipeline.js +++ /dev/null @@ -1,223 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -var groups = (function () { - var processor = require("processor"); - - var categorizeEvent = function(evt) { - evt.Put("event.category", ["iam"]); - evt.Put("event.type", ["group"]); - switch (evt.Get("event.action")) { - case "change_basic_setting": - case "change_identity_setting": - case "change_info_setting": - case "change_new_members_restrictions_setting": - case "change_post_replies_setting": - case "change_spam_moderation_setting": - case "change_topic_setting": - evt.AppendTo("event.category", "configuration"); - evt.AppendTo("event.type", "change"); - break; - case "change_acl_permission": - evt.AppendTo("event.type", "change"); - break; - case "accept_invitation": - evt.AppendTo("event.type", "info"); - evt.AppendTo("event.type", "user"); - break; - case "approve_join_request": - case "join": - evt.AppendTo("event.type", "user"); - evt.AppendTo("event.type", "change"); - break; - case "request_to_join": - case "ban_user_with_moderation": - case "revoke_invitation": - case "invite_user": - case "reject_join_request": - case "reinvite_user": - evt.AppendTo("event.type", "info"); - evt.AppendTo("event.type", "user"); - break; - case "create_group": - evt.AppendTo("event.type", "creation"); - break; - case "add_info_setting": - evt.AppendTo("event.category", "configuration"); - evt.AppendTo("event.type", "creation"); - break; - case "delete_group": - evt.AppendTo("event.type", "deletion"); - break; - case "remove_info_setting": - evt.AppendTo("event.category", "configuration"); - evt.AppendTo("event.type", "deletion"); - break; - case "moderate_message": - case "always_post_from_user": - evt.AppendTo("event.type", "info"); - break; - case "add_user": - evt.AppendTo("event.type", "creation"); - evt.AppendTo("event.type", "user"); - break; - case "remove_user": - evt.AppendTo("event.type", "deletion"); - evt.AppendTo("event.type", "user"); - break; - } - }; - - var getParamValue = function(param) { - if (param.value) { - return param.value; - } - if (param.multiValue) { - return param.multiValue; - } - }; - - var flattenParams = function(evt) { - var params = evt.Get("json.events.parameters"); - if (!params || !Array.isArray(params)) { - return; - } - - params.forEach(function(p){ - evt.Put("gsuite.groups."+p.name, getParamValue(p)); - }); - - evt.Delete("json.events.parameters"); - }; - - var setOutcome = function(evt) { - switch (evt.Get("gsuite.groups.status")) { - case "failed": - evt.Put("event.outcome", "failure"); - break; - case "succeeded": - evt.Put("event.outcome", "success"); - break; - } - }; - - var setGroupInfo = function(evt) { - var email = evt.Get("gsuite.groups.email"); - if (!email) { - return; - } - - var data = email.split("@"); - if (data.length !== 2) { - return; - } - - evt.Put("group.name", data[0]); - evt.Put("group.domain", data[1]); - }; - - var setRelatedMemberInfo = function(evt) { - var email = evt.Get("gsuite.groups.member.email"); - if (!email) { - return; - } - - var data = email.split("@"); - if (data.length !== 2) { - return; - } - - evt.AppendTo("related.user", data[0]); - evt.Put("user.target.name", data[0]); - evt.Put("user.target.domain", data[1]); - evt.Put("user.target.email", email); - var groupName = evt.Get("group.name"); - if (groupName) { - evt.Put("user.target.group.name", groupName); - } - var groupDomain = evt.Get("group.domain"); - if (groupDomain) { - evt.Put("user.target.group.domain", groupDomain); - } - }; - - var pipeline = new processor.Chain() - .Add(categorizeEvent) - .Add(flattenParams) - .Convert({ - fields: [ - { - from: "gsuite.groups.group_email", - to: "gsuite.groups.email", - }, - { - from: "gsuite.groups.new_value_repeated", - to: "gsuite.groups.new_value", - }, - { - from: "gsuite.groups.old_value_repeated", - to: "gsuite.groups.old_value", - }, - { - from: "gsuite.groups.user_email", - to: "gsuite.groups.member.email", - }, - { - from: "gsuite.groups.basic_setting", - to: "gsuite.groups.setting", - }, - { - from: "gsuite.groups.identity_setting", - to: "gsuite.groups.setting", - }, - { - from: "gsuite.groups.info_setting", - to: "gsuite.groups.setting", - }, - { - from: "gsuite.groups.new_members_restrictions_setting", - to: "gsuite.groups.setting", - }, - { - from: "gsuite.groups.post_replies_setting", - to: "gsuite.groups.setting", - }, - { - from: "gsuite.groups.spam_moderation_setting", - to: "gsuite.groups.setting", - }, - { - from: "gsuite.groups.topic_setting", - to: "gsuite.groups.setting", - }, - { - from: "gsuite.groups.message_id", - to: "gsuite.groups.message.id", - }, - { - from: "gsuite.groups.message_moderation_action", - to: "gsuite.groups.message.moderation_action", - }, - { - from: "gsuite.groups.member_role", - to: "gsuite.groups.member.role", - }, - ], - mode: "rename", - ignore_missing: true, - fail_on_error: false, - }) - .Add(setOutcome) - .Add(setGroupInfo) - .Add(setRelatedMemberInfo) - .Build(); - - return { - process: pipeline.Run, - }; -}()); - -function process(evt) { - return groups.process(evt); -} diff --git a/x-pack/filebeat/module/gsuite/groups/manifest.yml b/x-pack/filebeat/module/gsuite/groups/manifest.yml deleted file mode 100644 index c5992776ac07..000000000000 --- a/x-pack/filebeat/module/gsuite/groups/manifest.yml +++ /dev/null @@ -1,25 +0,0 @@ -module_version: 1.0 - -var: - - name: input - default: httpjson - - name: jwt_file - - name: delegated_account - - name: initial_interval - default: 24h - - name: http_client_timeout - default: 60s - - name: user_key - default: all - - name: interval - default: 2h - - name: tags - default: [forwarded] - - name: proxy_url - -input: config/config.yml -ingest_pipeline: ../ingest/common.yml - -requires.processors: -- name: geoip - plugin: ingest-geoip diff --git a/x-pack/filebeat/module/gsuite/groups/test/gsuite-groups-test.json.log b/x-pack/filebeat/module/gsuite/groups/test/gsuite-groups-test.json.log deleted file mode 100644 index e67fe7571a3c..000000000000 --- a/x-pack/filebeat/module/gsuite/groups/test/gsuite-groups-test.json.log +++ /dev/null @@ -1,25 +0,0 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"change_acl_permission","parameters":[{"name":"acl_permission","value":"can_add_members"},{"name":"group_email","value":"group@example.com"},{"name":"new_value_repeated","multiValue":["managers","members"]},{"name":"old_value_repeated","multiValue":["managers"]}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"accept_invitation","parameters":[{"name":"group_email","value":"group@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"approve_join_request","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"join","parameters":[{"name":"group_email","value":"group@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"request_to_join","parameters":[{"name":"group_email","value":"group@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"change_basic_setting","parameters":[{"name":"basic_setting","value":"allow_external_members"},{"name":"group_email","value":"group@example.com"},{"name":"new_value","value":"true"},{"name":"old_value","value":"false"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"create_group","parameters":[{"name":"group_email","value":"group@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"delete_group","parameters":[{"name":"group_email","value":"group@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"change_identity_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"identity_setting","value":"required_forms_of_identity"},{"name":"new_value","value":"display_name_only"},{"name":"old_value","value":"display_name_or_google_profile"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"add_info_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"info_setting","value":"custom_footer"},{"name":"value","value":"footer"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"change_info_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"info_setting","value":"custom_footer"},{"name":"new_value","value":"footer"},{"name":"old_value","value":"old footer"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"remove_info_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"info_setting","value":"custom_footer"},{"name":"value","value":"footer"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"change_new_members_restrictions_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"new_members_restrictions_setting","value":"new_members_can_post"},{"name":"new_value","value":"inherit"},{"name":"old_value","value":"overriden_to_false"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"change_post_replies_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"post_replies_setting","value":"where_should_replies_be_sent"},{"name":"new_value","value":"reply_to_custom_address"},{"name":"old_value","value":"reply_to_author_only"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"change_spam_moderation_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"spam_moderation_setting","value":"how_to_handle_suspected_spam_messages"},{"name":"new_value","value":"moderate_and_do_not_send_notifications"},{"name":"old_value","value":"moderate_and_send_notifications"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"change_topic_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"topic_setting","value":"allowed_topic_types"},{"name":"new_value","value":"discussions_questions"},{"name":"old_value","value":"discussions"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"moderate_message","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"message_moderation_action","value":"approved"},{"name":"status","value":"succeeded"},{"name":"message_id","value":"message id"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"always_post_from_user","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"},{"name":"status","value":"succeeded"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"add_user","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"},{"name":"member_role","value":"manager"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"ban_user_with_moderation","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"},{"name":"member_role","value":"manager"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"revoke_invitation","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"invite_user","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"reject_join_request","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"reinvite_user","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"remove_user","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"}]}} diff --git a/x-pack/filebeat/module/gsuite/groups/test/gsuite-groups-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/groups/test/gsuite-groups-test.json.log-expected.json deleted file mode 100644 index 758ba9ba2b11..000000000000 --- a/x-pack/filebeat/module/gsuite/groups/test/gsuite-groups-test.json.log-expected.json +++ /dev/null @@ -1,1476 +0,0 @@ -[ - { - "event.action": "change_acl_permission", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.groups", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"change_acl_permission\",\"parameters\":[{\"name\":\"acl_permission\",\"value\":\"can_add_members\"},{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"new_value_repeated\",\"multiValue\":[\"managers\",\"members\"]},{\"name\":\"old_value_repeated\",\"multiValue\":[\"managers\"]}]}}", - "event.provider": "groups", - "event.type": [ - "change", - "group" - ], - "fileset.name": "groups", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.event.type": "acl_change", - "gsuite.groups.acl_permission": "can_add_members", - "gsuite.groups.email": "group@example.com", - "gsuite.groups.new_value": [ - "managers", - "members" - ], - "gsuite.groups.old_value": [ - "managers" - ], - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 0, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "accept_invitation", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.groups", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"accept_invitation\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"}]}}", - "event.provider": "groups", - "event.type": [ - "group", - "info", - "user" - ], - "fileset.name": "groups", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.event.type": "moderator_action", - "gsuite.groups.email": "group@example.com", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 559, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "approve_join_request", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.groups", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"approve_join_request\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}", - "event.provider": "groups", - "event.type": [ - "change", - "group", - "user" - ], - "fileset.name": "groups", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.event.type": "moderator_action", - "gsuite.groups.email": "group@example.com", - "gsuite.groups.member.email": "user@example.com", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 946, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.group.domain": "example.com", - "user.target.group.name": "group", - "user.target.name": "user" - }, - { - "event.action": "join", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.groups", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"join\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"}]}}", - "event.provider": "groups", - "event.type": [ - "change", - "group", - "user" - ], - "fileset.name": "groups", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.event.type": "moderator_action", - "gsuite.groups.email": "group@example.com", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1385, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "request_to_join", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.groups", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"request_to_join\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"}]}}", - "event.provider": "groups", - "event.type": [ - "group", - "info", - "user" - ], - "fileset.name": "groups", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.event.type": "moderator_action", - "gsuite.groups.email": "group@example.com", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1759, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "change_basic_setting", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.groups", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_basic_setting\",\"parameters\":[{\"name\":\"basic_setting\",\"value\":\"allow_external_members\"},{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"new_value\",\"value\":\"true\"},{\"name\":\"old_value\",\"value\":\"false\"}]}}", - "event.provider": "groups", - "event.type": [ - "change", - "group" - ], - "fileset.name": "groups", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.event.type": "moderator_action", - "gsuite.groups.email": "group@example.com", - "gsuite.groups.new_value": "true", - "gsuite.groups.old_value": "false", - "gsuite.groups.setting": "allow_external_members", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2144, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "create_group", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.groups", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"create_group\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"}]}}", - "event.provider": "groups", - "event.type": [ - "creation", - "group" - ], - "fileset.name": "groups", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.event.type": "moderator_action", - "gsuite.groups.email": "group@example.com", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2665, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "delete_group", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.groups", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"delete_group\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"}]}}", - "event.provider": "groups", - "event.type": [ - "deletion", - "group" - ], - "fileset.name": "groups", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.event.type": "moderator_action", - "gsuite.groups.email": "group@example.com", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 3047, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "change_identity_setting", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.groups", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_identity_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"identity_setting\",\"value\":\"required_forms_of_identity\"},{\"name\":\"new_value\",\"value\":\"display_name_only\"},{\"name\":\"old_value\",\"value\":\"display_name_or_google_profile\"}]}}", - "event.provider": "groups", - "event.type": [ - "change", - "group" - ], - "fileset.name": "groups", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.event.type": "moderator_action", - "gsuite.groups.email": "group@example.com", - "gsuite.groups.new_value": "display_name_only", - "gsuite.groups.old_value": "display_name_or_google_profile", - "gsuite.groups.setting": "required_forms_of_identity", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 3429, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "add_info_setting", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.groups", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"add_info_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"info_setting\",\"value\":\"custom_footer\"},{\"name\":\"value\",\"value\":\"footer\"}]}}", - "event.provider": "groups", - "event.type": [ - "creation", - "group" - ], - "fileset.name": "groups", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.event.type": "moderator_action", - "gsuite.groups.email": "group@example.com", - "gsuite.groups.setting": "custom_footer", - "gsuite.groups.value": "footer", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 3998, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "change_info_setting", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.groups", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_info_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"info_setting\",\"value\":\"custom_footer\"},{\"name\":\"new_value\",\"value\":\"footer\"},{\"name\":\"old_value\",\"value\":\"old footer\"}]}}", - "event.provider": "groups", - "event.type": [ - "change", - "group" - ], - "fileset.name": "groups", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.event.type": "moderator_action", - "gsuite.groups.email": "group@example.com", - "gsuite.groups.new_value": "footer", - "gsuite.groups.old_value": "old footer", - "gsuite.groups.setting": "custom_footer", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 4466, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "remove_info_setting", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.groups", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"remove_info_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"info_setting\",\"value\":\"custom_footer\"},{\"name\":\"value\",\"value\":\"footer\"}]}}", - "event.provider": "groups", - "event.type": [ - "deletion", - "group" - ], - "fileset.name": "groups", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.event.type": "moderator_action", - "gsuite.groups.email": "group@example.com", - "gsuite.groups.setting": "custom_footer", - "gsuite.groups.value": "footer", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 4983, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "change_new_members_restrictions_setting", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.groups", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_new_members_restrictions_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"new_members_restrictions_setting\",\"value\":\"new_members_can_post\"},{\"name\":\"new_value\",\"value\":\"inherit\"},{\"name\":\"old_value\",\"value\":\"overriden_to_false\"}]}}", - "event.provider": "groups", - "event.type": [ - "change", - "group" - ], - "fileset.name": "groups", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.event.type": "moderator_action", - "gsuite.groups.email": "group@example.com", - "gsuite.groups.new_value": "inherit", - "gsuite.groups.old_value": "overriden_to_false", - "gsuite.groups.setting": "new_members_can_post", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 5454, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "change_post_replies_setting", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.groups", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_post_replies_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"post_replies_setting\",\"value\":\"where_should_replies_be_sent\"},{\"name\":\"new_value\",\"value\":\"reply_to_custom_address\"},{\"name\":\"old_value\",\"value\":\"reply_to_author_only\"}]}}", - "event.provider": "groups", - "event.type": [ - "change", - "group" - ], - "fileset.name": "groups", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.event.type": "moderator_action", - "gsuite.groups.email": "group@example.com", - "gsuite.groups.new_value": "reply_to_custom_address", - "gsuite.groups.old_value": "reply_to_author_only", - "gsuite.groups.setting": "where_should_replies_be_sent", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 6027, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "change_spam_moderation_setting", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.groups", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_spam_moderation_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"spam_moderation_setting\",\"value\":\"how_to_handle_suspected_spam_messages\"},{\"name\":\"new_value\",\"value\":\"moderate_and_do_not_send_notifications\"},{\"name\":\"old_value\",\"value\":\"moderate_and_send_notifications\"}]}}", - "event.provider": "groups", - "event.type": [ - "change", - "group" - ], - "fileset.name": "groups", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.event.type": "moderator_action", - "gsuite.groups.email": "group@example.com", - "gsuite.groups.new_value": "moderate_and_do_not_send_notifications", - "gsuite.groups.old_value": "moderate_and_send_notifications", - "gsuite.groups.setting": "how_to_handle_suspected_spam_messages", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 6602, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "change_topic_setting", - "event.category": [ - "configuration", - "iam" - ], - "event.dataset": "gsuite.groups", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_topic_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"topic_setting\",\"value\":\"allowed_topic_types\"},{\"name\":\"new_value\",\"value\":\"discussions_questions\"},{\"name\":\"old_value\",\"value\":\"discussions\"}]}}", - "event.provider": "groups", - "event.type": [ - "change", - "group" - ], - "fileset.name": "groups", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.event.type": "moderator_action", - "gsuite.groups.email": "group@example.com", - "gsuite.groups.new_value": "discussions_questions", - "gsuite.groups.old_value": "discussions", - "gsuite.groups.setting": "allowed_topic_types", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 7218, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "moderate_message", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.groups", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"moderate_message\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"message_moderation_action\",\"value\":\"approved\"},{\"name\":\"status\",\"value\":\"succeeded\"},{\"name\":\"message_id\",\"value\":\"message id\"}]}}", - "event.outcome": "success", - "event.provider": "groups", - "event.type": [ - "group", - "info" - ], - "fileset.name": "groups", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.event.type": "moderator_action", - "gsuite.groups.email": "group@example.com", - "gsuite.groups.message.id": "message id", - "gsuite.groups.message.moderation_action": "approved", - "gsuite.groups.status": "succeeded", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 7759, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "always_post_from_user", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.groups", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"always_post_from_user\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"},{\"name\":\"status\",\"value\":\"succeeded\"}]}}", - "event.outcome": "success", - "event.provider": "groups", - "event.type": [ - "group", - "info" - ], - "fileset.name": "groups", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.event.type": "moderator_action", - "gsuite.groups.email": "group@example.com", - "gsuite.groups.member.email": "user@example.com", - "gsuite.groups.status": "succeeded", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 8282, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.group.domain": "example.com", - "user.target.group.name": "group", - "user.target.name": "user" - }, - { - "event.action": "add_user", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.groups", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"add_user\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"},{\"name\":\"member_role\",\"value\":\"manager\"}]}}", - "event.provider": "groups", - "event.type": [ - "creation", - "group", - "user" - ], - "fileset.name": "groups", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.event.type": "moderator_action", - "gsuite.groups.email": "group@example.com", - "gsuite.groups.member.email": "user@example.com", - "gsuite.groups.member.role": "manager", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 8760, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.group.domain": "example.com", - "user.target.group.name": "group", - "user.target.name": "user" - }, - { - "event.action": "ban_user_with_moderation", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.groups", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"ban_user_with_moderation\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"},{\"name\":\"member_role\",\"value\":\"manager\"}]}}", - "event.provider": "groups", - "event.type": [ - "group", - "info", - "user" - ], - "fileset.name": "groups", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.event.type": "moderator_action", - "gsuite.groups.email": "group@example.com", - "gsuite.groups.member.email": "user@example.com", - "gsuite.groups.member.role": "manager", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 9228, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.group.domain": "example.com", - "user.target.group.name": "group", - "user.target.name": "user" - }, - { - "event.action": "revoke_invitation", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.groups", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"revoke_invitation\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}", - "event.provider": "groups", - "event.type": [ - "group", - "info", - "user" - ], - "fileset.name": "groups", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.event.type": "moderator_action", - "gsuite.groups.email": "group@example.com", - "gsuite.groups.member.email": "user@example.com", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 9712, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.group.domain": "example.com", - "user.target.group.name": "group", - "user.target.name": "user" - }, - { - "event.action": "invite_user", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.groups", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"invite_user\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}", - "event.provider": "groups", - "event.type": [ - "group", - "info", - "user" - ], - "fileset.name": "groups", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.event.type": "moderator_action", - "gsuite.groups.email": "group@example.com", - "gsuite.groups.member.email": "user@example.com", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 10148, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.group.domain": "example.com", - "user.target.group.name": "group", - "user.target.name": "user" - }, - { - "event.action": "reject_join_request", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.groups", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"reject_join_request\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}", - "event.provider": "groups", - "event.type": [ - "group", - "info", - "user" - ], - "fileset.name": "groups", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.event.type": "moderator_action", - "gsuite.groups.email": "group@example.com", - "gsuite.groups.member.email": "user@example.com", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 10578, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.group.domain": "example.com", - "user.target.group.name": "group", - "user.target.name": "user" - }, - { - "event.action": "reinvite_user", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.groups", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"reinvite_user\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}", - "event.provider": "groups", - "event.type": [ - "group", - "info", - "user" - ], - "fileset.name": "groups", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.event.type": "moderator_action", - "gsuite.groups.email": "group@example.com", - "gsuite.groups.member.email": "user@example.com", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 11016, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.group.domain": "example.com", - "user.target.group.name": "group", - "user.target.name": "user" - }, - { - "event.action": "remove_user", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.groups", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"remove_user\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}", - "event.provider": "groups", - "event.type": [ - "deletion", - "group", - "user" - ], - "fileset.name": "groups", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.event.type": "moderator_action", - "gsuite.groups.email": "group@example.com", - "gsuite.groups.member.email": "user@example.com", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 11448, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo", - "user.target.domain": "example.com", - "user.target.email": "user@example.com", - "user.target.group.domain": "example.com", - "user.target.group.name": "group", - "user.target.name": "user" - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/ingest/common.yml b/x-pack/filebeat/module/gsuite/ingest/common.yml deleted file mode 100644 index f35335c18468..000000000000 --- a/x-pack/filebeat/module/gsuite/ingest/common.yml +++ /dev/null @@ -1,33 +0,0 @@ -description: Pipeline for parsing gsuite logs -processors: - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - remove: - field: json - ignore_missing: true - - set: - field: event.ingested - value: "{{ _ingest.timestamp }}" - -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/gsuite/login/_meta/fields.yml b/x-pack/filebeat/module/gsuite/login/_meta/fields.yml deleted file mode 100644 index dc8e9711616e..000000000000 --- a/x-pack/filebeat/module/gsuite/login/_meta/fields.yml +++ /dev/null @@ -1,21 +0,0 @@ -- name: login - type: group - fields: - - name: affected_email_address - type: keyword - - name: challenge_method - type: keyword - description: > - Login challenge method. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. - - name: failure_type - type: keyword - description: > - Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. - - name: type - type: keyword - description: > - Login credentials type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. - - name: is_second_factor - type: boolean - - name: is_suspicious - type: boolean diff --git a/x-pack/filebeat/module/gsuite/login/config/config.yml b/x-pack/filebeat/module/gsuite/login/config/config.yml deleted file mode 100644 index 8575999100c8..000000000000 --- a/x-pack/filebeat/module/gsuite/login/config/config.yml +++ /dev/null @@ -1,54 +0,0 @@ -{{ if eq .input "httpjson" }} -type: httpjson - -url: https://www.googleapis.com/admin/reports/v1/activity/users/{{ .user_key }}/applications/login -json_objects_array: items -split_events_by: events - -interval: {{ .interval }} - -{{ if .http_client_timeout }} -http_client_timeout: {{ .http_client_timeout }} -{{ end }} - -oauth2.provider: google -oauth2.google.jwt_file: {{ .jwt_file }} -oauth2.google.delegated_account: {{ .delegated_account }} -oauth2.scopes: - - https://www.googleapis.com/auth/admin.reports.audit.readonly - -date_cursor.url_field: startTime -date_cursor.initial_interval: {{ .initial_interval }} - -pagination.id_field: nextPageToken -pagination.url_field: pageToken - -{{ if .proxy_url }} -request.proxy_url: {{ .proxy_url }} -{{ end }} - -{{ else if eq .input "file" }} -type: log -paths: -{{ range $i, $path := .paths }} - - {{$path}} -{{ end }} -exclude_files: [".gz$"] -{{ end }} - -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} - -processors: - - add_fields: - target: '' - fields: - ecs.version: 1.11.0 - - script: - lang: javascript - id: gsuite-common - file: ${path.home}/module/gsuite/config/common.js - - script: - lang: javascript - id: gsuite-login - file: ${path.home}/module/gsuite/login/config/pipeline.js diff --git a/x-pack/filebeat/module/gsuite/login/config/pipeline.js b/x-pack/filebeat/module/gsuite/login/config/pipeline.js deleted file mode 100644 index 2ad5d52f7de8..000000000000 --- a/x-pack/filebeat/module/gsuite/login/config/pipeline.js +++ /dev/null @@ -1,117 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -var login = (function () { - var processor = require("processor"); - - var categorizeEvent = function(evt) { - evt.Put("event.category", ["authentication"]); - switch (evt.Get("event.action")) { - case "login_failure": - evt.AppendTo("event.category", "session"); - evt.Put("event.type", ["start"]); - evt.Put("event.outcome", "failure"); - break; - case "login_success": - evt.AppendTo("event.category", "session"); - evt.Put("event.type", ["start"]); - evt.Put("event.outcome", "success"); - break; - case "logout": - evt.AppendTo("event.category", "session"); - evt.Put("event.type", ["end"]); - break; - case "account_disabled_generic": - case "account_disabled_spamming_through_relay": - case "account_disabled_spamming": - case "account_disabled_hijacked": - case "account_disabled_password_leak": - evt.Put("event.type", ["user", "change"]); - break; - case "gov_attack_warning": - case "login_challenge": - case "login_verification": - case "suspicious_login": - case "suspicious_login_less_secure_app": - case "suspicious_programmatic_login": - evt.Put("event.type", ["info"]); - break; - } - }; - - var getParamValue = function(param) { - if (param.value) { - return param.value; - } - if (param.multiValue) { - return param.multiValue; - } - }; - - var processParams = function(evt) { - var params = evt.Get("json.events.parameters"); - if (!params || !Array.isArray(params)) { - return; - } - - var prefixRegex = /^(login_)/; - - params.forEach(function(p){ - p.name = p.name.replace(prefixRegex, ""); - switch (p.name) { - // According to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login - // this is a timestamp in microseconds - case "timestamp": - var millis = p.intValue / 1000; - evt.Put("event.start", new Date(millis)); - break; - case "challenge_status": - if (p.value === "Challenge Passed") { - evt.Put("event.outcome", "success"); - } else { - evt.Put("event.outcome", "failure"); - } - break; - case "is_second_factor": - case "is_suspicious": - evt.Put("gsuite.login."+p.name, p.boolValue); - break; - // the rest of params are strings - default: - evt.Put("gsuite.login."+p.name, getParamValue(p)); - } - }); - - evt.Delete("json.events.parameters"); - }; - - var addTargetUser = function(evt) { - var affectedEmail = evt.Get("google_workspace.login.affected_email_address"); - if (affectedEmail) { - evt.Put("user.target.email", affectedEmail); - var data = affectedEmail.split("@"); - if (data.length !== 2) { - return; - } - - evt.Put("user.target.name", data[0]); - evt.Put("user.target.domain", data[1]); - evt.AppendTo("related.user", data[0]); - } - }; - - var pipeline = new processor.Chain() - .Add(categorizeEvent) - .Add(processParams) - .Add(addTargetUser) - .Build(); - - return { - process: pipeline.Run, - }; -}()); - -function process(evt) { - return login.process(evt); -} diff --git a/x-pack/filebeat/module/gsuite/login/manifest.yml b/x-pack/filebeat/module/gsuite/login/manifest.yml deleted file mode 100644 index c5992776ac07..000000000000 --- a/x-pack/filebeat/module/gsuite/login/manifest.yml +++ /dev/null @@ -1,25 +0,0 @@ -module_version: 1.0 - -var: - - name: input - default: httpjson - - name: jwt_file - - name: delegated_account - - name: initial_interval - default: 24h - - name: http_client_timeout - default: 60s - - name: user_key - default: all - - name: interval - default: 2h - - name: tags - default: [forwarded] - - name: proxy_url - -input: config/config.yml -ingest_pipeline: ../ingest/common.yml - -requires.processors: -- name: geoip - plugin: ingest-geoip diff --git a/x-pack/filebeat/module/gsuite/login/test/gsuite-login-test.json.log b/x-pack/filebeat/module/gsuite/login/test/gsuite-login-test.json.log deleted file mode 100644 index b721c74bf484..000000000000 --- a/x-pack/filebeat/module/gsuite/login/test/gsuite-login-test.json.log +++ /dev/null @@ -1,14 +0,0 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"account_disabled_password_leak","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"suspicious_login","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"},{"name":"login_timestamp","intValue":1593695305123456}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"suspicious_login_less_secure_app","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"},{"name":"login_timestamp","intValue":1593695305123456}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"suspicious_programmatic_login","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"},{"name":"login_timestamp","intValue":1593695305123456}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"account_disabled_generic","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"account_disabled_spamming_through_relay","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"account_disabled_spamming","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"account_disabled_hijacked","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"},{"name":"login_timestamp","intValue":1593695305123456}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"gov_attack_warning"}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"login","name":"login_failure","parameters":[{"name":"login_challenge_method","value":"backup_code"},{"name":"login_failure_type","value":"login_failure_access_code_disallowed"},{"name":"login_type","value":"exchange"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"login","name":"login_challenge","parameters":[{"name":"login_challenge_method","value":"backup_code"},{"name":"login_challenge_status","value":"Challenge Passed."},{"name":"login_type","value":"exchange"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"login","name":"login_verification","parameters":[{"name":"is_second_factor","boolValue":false},{"name":"login_challenge_method","value":"backup_code"},{"name":"login_challenge_status","value":"Challenge Passed."},{"name":"login_type","value":"exchange"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"login","name":"logout","parameters":[{"name":"login_type","value":"exchange"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"login","name":"login_success","parameters":[{"name":"login_challenge_method","value":"backup_code"},{"name":"is_suspicious","boolValue":false},{"name":"login_type","value":"exchange"}]}} diff --git a/x-pack/filebeat/module/gsuite/login/test/gsuite-login-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/login/test/gsuite-login-test.json.log-expected.json deleted file mode 100644 index aa37acec18e8..000000000000 --- a/x-pack/filebeat/module/gsuite/login/test/gsuite-login-test.json.log-expected.json +++ /dev/null @@ -1,738 +0,0 @@ -[ - { - "event.action": "account_disabled_password_leak", - "event.category": [ - "authentication" - ], - "event.dataset": "gsuite.login", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"account_disabled_password_leak\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"}]}}", - "event.provider": "login", - "event.type": [ - "change", - "user" - ], - "fileset.name": "login", - "gsuite.actor.type": "USER", - "gsuite.event.type": "account_warning", - "gsuite.kind": "admin#reports#activity", - "gsuite.login.affected_email_address": "foo@elastic.co", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 0, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "suspicious_login", - "event.category": [ - "authentication" - ], - "event.dataset": "gsuite.login", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"suspicious_login\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"},{\"name\":\"login_timestamp\",\"intValue\":1593695305123456}]}}", - "event.provider": "login", - "event.start": "2020-07-02T13:08:25.123Z", - "event.type": [ - "info" - ], - "fileset.name": "login", - "gsuite.actor.type": "USER", - "gsuite.event.type": "account_warning", - "gsuite.kind": "admin#reports#activity", - "gsuite.login.affected_email_address": "foo@elastic.co", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 406, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "suspicious_login_less_secure_app", - "event.category": [ - "authentication" - ], - "event.dataset": "gsuite.login", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"suspicious_login_less_secure_app\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"},{\"name\":\"login_timestamp\",\"intValue\":1593695305123456}]}}", - "event.provider": "login", - "event.start": "2020-07-02T13:08:25.123Z", - "event.type": [ - "info" - ], - "fileset.name": "login", - "gsuite.actor.type": "USER", - "gsuite.event.type": "account_warning", - "gsuite.kind": "admin#reports#activity", - "gsuite.login.affected_email_address": "foo@elastic.co", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 853, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "suspicious_programmatic_login", - "event.category": [ - "authentication" - ], - "event.dataset": "gsuite.login", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"suspicious_programmatic_login\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"},{\"name\":\"login_timestamp\",\"intValue\":1593695305123456}]}}", - "event.provider": "login", - "event.start": "2020-07-02T13:08:25.123Z", - "event.type": [ - "info" - ], - "fileset.name": "login", - "gsuite.actor.type": "USER", - "gsuite.event.type": "account_warning", - "gsuite.kind": "admin#reports#activity", - "gsuite.login.affected_email_address": "foo@elastic.co", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1316, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "account_disabled_generic", - "event.category": [ - "authentication" - ], - "event.dataset": "gsuite.login", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"account_disabled_generic\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"}]}}", - "event.provider": "login", - "event.type": [ - "change", - "user" - ], - "fileset.name": "login", - "gsuite.actor.type": "USER", - "gsuite.event.type": "account_warning", - "gsuite.kind": "admin#reports#activity", - "gsuite.login.affected_email_address": "foo@elastic.co", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1776, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "account_disabled_spamming_through_relay", - "event.category": [ - "authentication" - ], - "event.dataset": "gsuite.login", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"account_disabled_spamming_through_relay\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"}]}}", - "event.provider": "login", - "event.type": [ - "change", - "user" - ], - "fileset.name": "login", - "gsuite.actor.type": "USER", - "gsuite.event.type": "account_warning", - "gsuite.kind": "admin#reports#activity", - "gsuite.login.affected_email_address": "foo@elastic.co", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2176, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "account_disabled_spamming", - "event.category": [ - "authentication" - ], - "event.dataset": "gsuite.login", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"account_disabled_spamming\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"}]}}", - "event.provider": "login", - "event.type": [ - "change", - "user" - ], - "fileset.name": "login", - "gsuite.actor.type": "USER", - "gsuite.event.type": "account_warning", - "gsuite.kind": "admin#reports#activity", - "gsuite.login.affected_email_address": "foo@elastic.co", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2591, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "account_disabled_hijacked", - "event.category": [ - "authentication" - ], - "event.dataset": "gsuite.login", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"account_disabled_hijacked\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"},{\"name\":\"login_timestamp\",\"intValue\":1593695305123456}]}}", - "event.provider": "login", - "event.start": "2020-07-02T13:08:25.123Z", - "event.type": [ - "change", - "user" - ], - "fileset.name": "login", - "gsuite.actor.type": "USER", - "gsuite.event.type": "account_warning", - "gsuite.kind": "admin#reports#activity", - "gsuite.login.affected_email_address": "foo@elastic.co", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2992, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "gov_attack_warning", - "event.category": [ - "authentication" - ], - "event.dataset": "gsuite.login", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"gov_attack_warning\"}}", - "event.provider": "login", - "event.type": [ - "info" - ], - "fileset.name": "login", - "gsuite.actor.type": "USER", - "gsuite.event.type": "account_warning", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 3448, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "login_failure", - "event.category": [ - "authentication", - "session" - ], - "event.dataset": "gsuite.login", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"login\",\"name\":\"login_failure\",\"parameters\":[{\"name\":\"login_challenge_method\",\"value\":\"backup_code\"},{\"name\":\"login_failure_type\",\"value\":\"login_failure_access_code_disallowed\"},{\"name\":\"login_type\",\"value\":\"exchange\"}]}}", - "event.outcome": "failure", - "event.provider": "login", - "event.type": [ - "start" - ], - "fileset.name": "login", - "gsuite.actor.type": "USER", - "gsuite.event.type": "login", - "gsuite.kind": "admin#reports#activity", - "gsuite.login.challenge_method": "backup_code", - "gsuite.login.failure_type": "login_failure_access_code_disallowed", - "gsuite.login.type": "exchange", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 3768, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "login_challenge", - "event.category": [ - "authentication" - ], - "event.dataset": "gsuite.login", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"login\",\"name\":\"login_challenge\",\"parameters\":[{\"name\":\"login_challenge_method\",\"value\":\"backup_code\"},{\"name\":\"login_challenge_status\",\"value\":\"Challenge Passed.\"},{\"name\":\"login_type\",\"value\":\"exchange\"}]}}", - "event.outcome": "failure", - "event.provider": "login", - "event.type": [ - "info" - ], - "fileset.name": "login", - "gsuite.actor.type": "USER", - "gsuite.event.type": "login", - "gsuite.kind": "admin#reports#activity", - "gsuite.login.challenge_method": "backup_code", - "gsuite.login.type": "exchange", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 4262, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "login_verification", - "event.category": [ - "authentication" - ], - "event.dataset": "gsuite.login", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"login\",\"name\":\"login_verification\",\"parameters\":[{\"name\":\"is_second_factor\",\"boolValue\":false},{\"name\":\"login_challenge_method\",\"value\":\"backup_code\"},{\"name\":\"login_challenge_status\",\"value\":\"Challenge Passed.\"},{\"name\":\"login_type\",\"value\":\"exchange\"}]}}", - "event.outcome": "failure", - "event.provider": "login", - "event.type": [ - "info" - ], - "fileset.name": "login", - "gsuite.actor.type": "USER", - "gsuite.event.type": "login", - "gsuite.kind": "admin#reports#activity", - "gsuite.login.challenge_method": "backup_code", - "gsuite.login.is_second_factor": false, - "gsuite.login.type": "exchange", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 4743, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "logout", - "event.category": [ - "authentication", - "session" - ], - "event.dataset": "gsuite.login", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"login\",\"name\":\"logout\",\"parameters\":[{\"name\":\"login_type\",\"value\":\"exchange\"}]}}", - "event.provider": "login", - "event.type": [ - "end" - ], - "fileset.name": "login", - "gsuite.actor.type": "USER", - "gsuite.event.type": "login", - "gsuite.kind": "admin#reports#activity", - "gsuite.login.type": "exchange", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 5273, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "login_success", - "event.category": [ - "authentication", - "session" - ], - "event.dataset": "gsuite.login", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"login_challenge_method\",\"value\":\"backup_code\"},{\"name\":\"is_suspicious\",\"boolValue\":false},{\"name\":\"login_type\",\"value\":\"exchange\"}]}}", - "event.outcome": "success", - "event.provider": "login", - "event.type": [ - "start" - ], - "fileset.name": "login", - "gsuite.actor.type": "USER", - "gsuite.event.type": "login", - "gsuite.kind": "admin#reports#activity", - "gsuite.login.challenge_method": "backup_code", - "gsuite.login.is_suspicious": false, - "gsuite.login.type": "exchange", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 5627, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/saml/_meta/fields.yml b/x-pack/filebeat/module/gsuite/saml/_meta/fields.yml deleted file mode 100644 index fc0adfcb55c2..000000000000 --- a/x-pack/filebeat/module/gsuite/saml/_meta/fields.yml +++ /dev/null @@ -1,27 +0,0 @@ -- name: saml - type: group - fields: - - name: application_name - type: keyword - description: > - Saml SP application name. - - name: failure_type - type: keyword - description: > - Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml. - - name: initiated_by - type: keyword - description: > - Requester of SAML authentication. - - name: orgunit_path - type: keyword - description: > - User orgunit. - - name: status_code - type: keyword - description: > - SAML status code. - - name: second_level_status_code - type: keyword - description: > - SAML second level status code. diff --git a/x-pack/filebeat/module/gsuite/saml/config/config.yml b/x-pack/filebeat/module/gsuite/saml/config/config.yml deleted file mode 100644 index 1db5796e6701..000000000000 --- a/x-pack/filebeat/module/gsuite/saml/config/config.yml +++ /dev/null @@ -1,54 +0,0 @@ -{{ if eq .input "httpjson" }} -type: httpjson - -url: https://www.googleapis.com/admin/reports/v1/activity/users/{{ .user_key }}/applications/saml -json_objects_array: items -split_events_by: events - -interval: {{ .interval }} - -{{ if .http_client_timeout }} -http_client_timeout: {{ .http_client_timeout }} -{{ end }} - -oauth2.provider: google -oauth2.google.jwt_file: {{ .jwt_file }} -oauth2.google.delegated_account: {{ .delegated_account }} -oauth2.scopes: - - https://www.googleapis.com/auth/admin.reports.audit.readonly - -date_cursor.url_field: startTime -date_cursor.initial_interval: {{ .initial_interval }} - -pagination.id_field: nextPageToken -pagination.url_field: pageToken - -{{ if .proxy_url }} -request.proxy_url: {{ .proxy_url }} -{{ end }} - -{{ else if eq .input "file" }} -type: log -paths: -{{ range $i, $path := .paths }} - - {{$path}} -{{ end }} -exclude_files: [".gz$"] -{{ end }} - -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} - -processors: - - add_fields: - target: '' - fields: - ecs.version: 1.11.0 - - script: - lang: javascript - id: gsuite-common - file: ${path.home}/module/gsuite/config/common.js - - script: - lang: javascript - id: gsuite-saml - file: ${path.home}/module/gsuite/saml/config/pipeline.js diff --git a/x-pack/filebeat/module/gsuite/saml/config/pipeline.js b/x-pack/filebeat/module/gsuite/saml/config/pipeline.js deleted file mode 100644 index 705db7f2f1e7..000000000000 --- a/x-pack/filebeat/module/gsuite/saml/config/pipeline.js +++ /dev/null @@ -1,53 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -var saml = (function () { - var processor = require("processor"); - - var categorizeEvent = function(evt) { - evt.Put("event.type", ["start"]); - evt.Put("event.category", ["authentication", "session"]); - switch (evt.Get("event.action")) { - case "login_failure": - evt.Put("event.outcome", "failure"); - break; - case "login_success": - evt.Put("event.outcome", "success"); - break; - } - }; - - var processParams = function(evt) { - var params = evt.Get("json.events.parameters"); - if (!params || !Array.isArray(params)) { - return; - } - - var prefixRegex = /^(saml_)/; - - params.forEach(function(p){ - p.name = p.name.replace(prefixRegex, ""); - - // all saml event parameters are strings. - // for this reason we know for sure they are in the 'value' field. - // https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml - evt.Put("google_workspace.saml."+p.name, p.value); - }); - - evt.Delete("json.events.parameters"); - }; - - var pipeline = new processor.Chain() - .Add(categorizeEvent) - .Add(processParams) - .Build(); - - return { - process: pipeline.Run, - }; -}()); - -function process(evt) { - return saml.process(evt); -} diff --git a/x-pack/filebeat/module/gsuite/saml/manifest.yml b/x-pack/filebeat/module/gsuite/saml/manifest.yml deleted file mode 100644 index c5992776ac07..000000000000 --- a/x-pack/filebeat/module/gsuite/saml/manifest.yml +++ /dev/null @@ -1,25 +0,0 @@ -module_version: 1.0 - -var: - - name: input - default: httpjson - - name: jwt_file - - name: delegated_account - - name: initial_interval - default: 24h - - name: http_client_timeout - default: 60s - - name: user_key - default: all - - name: interval - default: 2h - - name: tags - default: [forwarded] - - name: proxy_url - -input: config/config.yml -ingest_pipeline: ../ingest/common.yml - -requires.processors: -- name: geoip - plugin: ingest-geoip diff --git a/x-pack/filebeat/module/gsuite/saml/test/gsuite-saml-test.json.log b/x-pack/filebeat/module/gsuite/saml/test/gsuite-saml-test.json.log deleted file mode 100644 index ed672b58a568..000000000000 --- a/x-pack/filebeat/module/gsuite/saml/test/gsuite-saml-test.json.log +++ /dev/null @@ -1,2 +0,0 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"saml","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"login","name":"login_failure","parameters":[{"name":"application_name","value":"app"},{"name":"failure_type","value":"failure_app_not_configured_for_user"},{"name":"initiated_by","value":"idp"},{"name":"orgunit_path","value":"ounit"},{"name":"saml_second_level_status_code","value":"SUCCESS_URI"},{"name":"saml_status_code","value":"SUCCESS_URI"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:01Z","uniqueQualifier":1,"applicationName":"saml","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"login","name":"login_success","parameters":[{"name":"application_name","value":"app"},{"name":"initiated_by","value":"idp"},{"name":"orgunit_path","value":"ounit"},{"name":"saml_status_code","value":"SUCCESS_URI"}]}} diff --git a/x-pack/filebeat/module/gsuite/saml/test/gsuite-saml-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/saml/test/gsuite-saml-test.json.log-expected.json deleted file mode 100644 index 7763ca178817..000000000000 --- a/x-pack/filebeat/module/gsuite/saml/test/gsuite-saml-test.json.log-expected.json +++ /dev/null @@ -1,116 +0,0 @@ -[ - { - "event.action": "login_failure", - "event.category": [ - "authentication", - "session" - ], - "event.dataset": "gsuite.saml", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"saml\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"login\",\"name\":\"login_failure\",\"parameters\":[{\"name\":\"application_name\",\"value\":\"app\"},{\"name\":\"failure_type\",\"value\":\"failure_app_not_configured_for_user\"},{\"name\":\"initiated_by\",\"value\":\"idp\"},{\"name\":\"orgunit_path\",\"value\":\"ounit\"},{\"name\":\"saml_second_level_status_code\",\"value\":\"SUCCESS_URI\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}}", - "event.outcome": "failure", - "event.provider": "saml", - "event.type": [ - "start" - ], - "fileset.name": "saml", - "google_workspace.saml.application_name": "app", - "google_workspace.saml.failure_type": "failure_app_not_configured_for_user", - "google_workspace.saml.initiated_by": "idp", - "google_workspace.saml.orgunit_path": "ounit", - "google_workspace.saml.second_level_status_code": "SUCCESS_URI", - "google_workspace.saml.status_code": "SUCCESS_URI", - "gsuite.actor.type": "USER", - "gsuite.event.type": "login", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 0, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "login_success", - "event.category": [ - "authentication", - "session" - ], - "event.dataset": "gsuite.saml", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:01Z\",\"uniqueQualifier\":1,\"applicationName\":\"saml\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"application_name\",\"value\":\"app\"},{\"name\":\"initiated_by\",\"value\":\"idp\"},{\"name\":\"orgunit_path\",\"value\":\"ounit\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}}", - "event.outcome": "success", - "event.provider": "saml", - "event.type": [ - "start" - ], - "fileset.name": "saml", - "google_workspace.saml.application_name": "app", - "google_workspace.saml.initiated_by": "idp", - "google_workspace.saml.orgunit_path": "ounit", - "google_workspace.saml.status_code": "SUCCESS_URI", - "gsuite.actor.type": "USER", - "gsuite.event.type": "login", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 622, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/user_accounts/config/config.yml b/x-pack/filebeat/module/gsuite/user_accounts/config/config.yml deleted file mode 100644 index 1200b3ac4993..000000000000 --- a/x-pack/filebeat/module/gsuite/user_accounts/config/config.yml +++ /dev/null @@ -1,54 +0,0 @@ -{{ if eq .input "httpjson" }} -type: httpjson - -url: https://www.googleapis.com/admin/reports/v1/activity/users/{{ .user_key }}/applications/user_accounts -json_objects_array: items -split_events_by: events - -interval: {{ .interval }} - -{{ if .http_client_timeout }} -http_client_timeout: {{ .http_client_timeout }} -{{ end }} - -oauth2.provider: google -oauth2.google.jwt_file: {{ .jwt_file }} -oauth2.google.delegated_account: {{ .delegated_account }} -oauth2.scopes: - - https://www.googleapis.com/auth/admin.reports.audit.readonly - -date_cursor.url_field: startTime -date_cursor.initial_interval: {{ .initial_interval }} - -pagination.id_field: nextPageToken -pagination.url_field: pageToken - -{{ if .proxy_url }} -request.proxy_url: {{ .proxy_url }} -{{ end }} - -{{ else if eq .input "file" }} -type: log -paths: -{{ range $i, $path := .paths }} - - {{$path}} -{{ end }} -exclude_files: [".gz$"] -{{ end }} - -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} - -processors: - - add_fields: - target: '' - fields: - ecs.version: 1.11.0 - - script: - lang: javascript - id: gsuite-common - file: ${path.home}/module/gsuite/config/common.js - - script: - lang: javascript - id: gsuite-user_accounts - file: ${path.home}/module/gsuite/user_accounts/config/pipeline.js diff --git a/x-pack/filebeat/module/gsuite/user_accounts/config/pipeline.js b/x-pack/filebeat/module/gsuite/user_accounts/config/pipeline.js deleted file mode 100644 index 89b54fa72dbb..000000000000 --- a/x-pack/filebeat/module/gsuite/user_accounts/config/pipeline.js +++ /dev/null @@ -1,24 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -var userAccounts = (function () { - var processor = require("processor"); - - var categorizeEvent = function(evt) { - evt.Put("event.type", ["change", "user"]); - evt.Put("event.category", ["iam"]); - }; - - var pipeline = new processor.Chain() - .Add(categorizeEvent) - .Build(); - - return { - process: pipeline.Run, - }; -}()); - -function process(evt) { - return userAccounts.process(evt); -} diff --git a/x-pack/filebeat/module/gsuite/user_accounts/manifest.yml b/x-pack/filebeat/module/gsuite/user_accounts/manifest.yml deleted file mode 100644 index c5992776ac07..000000000000 --- a/x-pack/filebeat/module/gsuite/user_accounts/manifest.yml +++ /dev/null @@ -1,25 +0,0 @@ -module_version: 1.0 - -var: - - name: input - default: httpjson - - name: jwt_file - - name: delegated_account - - name: initial_interval - default: 24h - - name: http_client_timeout - default: 60s - - name: user_key - default: all - - name: interval - default: 2h - - name: tags - default: [forwarded] - - name: proxy_url - -input: config/config.yml -ingest_pipeline: ../ingest/common.yml - -requires.processors: -- name: geoip - plugin: ingest-geoip diff --git a/x-pack/filebeat/module/gsuite/user_accounts/test/gsuite-user_accounts-test.json.log b/x-pack/filebeat/module/gsuite/user_accounts/test/gsuite-user_accounts-test.json.log deleted file mode 100644 index 7da8fdec9353..000000000000 --- a/x-pack/filebeat/module/gsuite/user_accounts/test/gsuite-user_accounts-test.json.log +++ /dev/null @@ -1,8 +0,0 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"2sv_change","name":"2sv_disable"}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"2sv_change","name":"2sv_enroll"}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"password_change","name":"password_edit"}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"recovery_info_change","name":"recovery_email_edit"}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"recovery_info_change","name":"recovery_phone_edit"}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"recovery_info_change","name":"recovery_secret_qa_edit"}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"titanium_change","name":"titanium_enroll"}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"titanium_change","name":"titanium_unenroll"}} diff --git a/x-pack/filebeat/module/gsuite/user_accounts/test/gsuite-user_accounts-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/user_accounts/test/gsuite-user_accounts-test.json.log-expected.json deleted file mode 100644 index 5943488f3241..000000000000 --- a/x-pack/filebeat/module/gsuite/user_accounts/test/gsuite-user_accounts-test.json.log-expected.json +++ /dev/null @@ -1,410 +0,0 @@ -[ - { - "event.action": "2sv_disable", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.user_accounts", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"2sv_change\",\"name\":\"2sv_disable\"}}", - "event.provider": "user_accounts", - "event.type": [ - "change", - "user" - ], - "fileset.name": "user_accounts", - "gsuite.actor.type": "USER", - "gsuite.event.type": "2sv_change", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 0, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "2sv_enroll", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.user_accounts", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"2sv_change\",\"name\":\"2sv_enroll\"}}", - "event.provider": "user_accounts", - "event.type": [ - "change", - "user" - ], - "fileset.name": "user_accounts", - "gsuite.actor.type": "USER", - "gsuite.event.type": "2sv_change", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 316, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "password_edit", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.user_accounts", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"password_change\",\"name\":\"password_edit\"}}", - "event.provider": "user_accounts", - "event.type": [ - "change", - "user" - ], - "fileset.name": "user_accounts", - "gsuite.actor.type": "USER", - "gsuite.event.type": "password_change", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 631, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "recovery_email_edit", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.user_accounts", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"recovery_info_change\",\"name\":\"recovery_email_edit\"}}", - "event.provider": "user_accounts", - "event.type": [ - "change", - "user" - ], - "fileset.name": "user_accounts", - "gsuite.actor.type": "USER", - "gsuite.event.type": "recovery_info_change", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 954, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "recovery_phone_edit", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.user_accounts", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"recovery_info_change\",\"name\":\"recovery_phone_edit\"}}", - "event.provider": "user_accounts", - "event.type": [ - "change", - "user" - ], - "fileset.name": "user_accounts", - "gsuite.actor.type": "USER", - "gsuite.event.type": "recovery_info_change", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1288, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "recovery_secret_qa_edit", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.user_accounts", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"recovery_info_change\",\"name\":\"recovery_secret_qa_edit\"}}", - "event.provider": "user_accounts", - "event.type": [ - "change", - "user" - ], - "fileset.name": "user_accounts", - "gsuite.actor.type": "USER", - "gsuite.event.type": "recovery_info_change", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1622, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "titanium_enroll", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.user_accounts", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"titanium_change\",\"name\":\"titanium_enroll\"}}", - "event.provider": "user_accounts", - "event.type": [ - "change", - "user" - ], - "fileset.name": "user_accounts", - "gsuite.actor.type": "USER", - "gsuite.event.type": "titanium_change", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1960, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - }, - { - "event.action": "titanium_unenroll", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.user_accounts", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"titanium_change\",\"name\":\"titanium_unenroll\"}}", - "event.provider": "user_accounts", - "event.type": [ - "change", - "user" - ], - "fileset.name": "user_accounts", - "gsuite.actor.type": "USER", - "gsuite.event.type": "titanium_change", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2285, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "source.as.number": 7922, - "source.as.organization.name": "Comcast Cable Communications, LLC", - "source.geo.city_name": "State College", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.country_name": "United States", - "source.geo.location.lat": 40.7957, - "source.geo.location.lon": -77.8618, - "source.geo.region_iso_code": "US-PA", - "source.geo.region_name": "Pennsylvania", - "source.ip": "98.235.162.24", - "source.user.domain": "bar.com", - "source.user.email": "foo@bar.com", - "source.user.id": "1", - "source.user.name": "foo", - "tags": [ - "forwarded" - ], - "user.domain": "bar.com", - "user.id": "1", - "user.name": "foo" - } -] \ No newline at end of file diff --git a/x-pack/filebeat/modules.d/cyberark.yml.disabled b/x-pack/filebeat/modules.d/cyberark.yml.disabled deleted file mode 100644 index 391acfe7b248..000000000000 --- a/x-pack/filebeat/modules.d/cyberark.yml.disabled +++ /dev/null @@ -1,24 +0,0 @@ -# Module: cyberark -# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-cyberark.html - -# The cyberark module is deprecated and will be removed in future releases. -# Please use the Cyberark Privileged Account Security (cyberarkpas) module instead. -- module: cyberark - corepas: - enabled: false - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9527 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local diff --git a/x-pack/filebeat/modules.d/gsuite.yml.disabled b/x-pack/filebeat/modules.d/gsuite.yml.disabled deleted file mode 100644 index ec38309a193d..000000000000 --- a/x-pack/filebeat/modules.d/gsuite.yml.disabled +++ /dev/null @@ -1,53 +0,0 @@ -# Module: gsuite -# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-gsuite.html - -# Gsuite module is deprecated and will be removed in future releases. Please use Google Workspace module instead. -- module: gsuite - saml: - enabled: false - # var.jwt_file: credentials.json - # var.delegated_account: admin@example.com - # var.initial_interval: 24h - # var.http_client_timeout: 60s - # var.user_key: all - # var.interval: 2h - user_accounts: - enabled: false - # var.jwt_file: credentials.json - # var.delegated_account: admin@example.com - # var.initial_interval: 24h - # var.http_client_timeout: 60s - # var.user_key: all - # var.interval: 2h - login: - enabled: false - # var.jwt_file: credentials.json - # var.delegated_account: admin@example.com - # var.initial_interval: 24h - # var.http_client_timeout: 60s - # var.user_key: all - # var.interval: 2h - admin: - enabled: false - # var.jwt_file: credentials.json - # var.delegated_account: admin@example.com - # var.initial_interval: 24h - # var.http_client_timeout: 60s - # var.user_key: all - # var.interval: 2h - drive: - enabled: false - # var.jwt_file: credentials.json - # var.delegated_account: admin@example.com - # var.initial_interval: 24h - # var.http_client_timeout: 60s - # var.user_key: all - # var.interval: 2h - groups: - enabled: false - # var.jwt_file: credentials.json - # var.delegated_account: admin@example.com - # var.initial_interval: 24h - # var.http_client_timeout: 60s - # var.user_key: all - # var.interval: 2h